no logging of successful events?
Brian LaMere
brianl at clinicomp.com
Mon Aug 18 19:49:36 UTC 2008
was using a slightly older manpage, which doesn't include that helpful
clarification :)
Brian
On Mon, 2008-08-18 at 15:25 -0400, Eric Paris wrote:
> On Mon, 2008-08-18 at 15:18 -0400, Steve Grubb wrote:
> > On Monday 18 August 2008 15:09:34 Brian LaMere wrote:
> > > So...why is it that "LIST_RULES: exit,always success!=0 syscall=open"
> > > doesn't disregard the successful calls?
> >
> > Because that means log the successful calls. If you only want the unsuccessful
> > calls, I'd suggest success = 0. Its easy to confuse the success field with
> > exits codes which return 0 for success. This question pops up every now and
> > again. :)
>
> Isn't that why man auditctl talks about success=no and success=yes? So you don't have to remember?
>
More information about the Linux-audit
mailing list