From mboxrd@z Thu Jan  1 00:00:00 1970
From: Brian LaMere <brianl@clinicomp.com>
Subject: Re: no logging of successful events?
Date: Mon, 18 Aug 2008 12:39:01 -0700
Message-ID: <1219088341.6522.24.camel@orpheus.clinicomp.com>
References: <1219086574.6522.8.camel@orpheus.clinicomp.com>
	<200808181518.34373.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m7IJdOjI018382
	for <linux-audit@redhat.com>; Mon, 18 Aug 2008 15:39:24 -0400
Received: from mailout.clinicomp.com (mailout.clinicomp.com [63.251.123.51])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m7IJd66o021557
	for <linux-audit@redhat.com>; Mon, 18 Aug 2008 15:39:06 -0400
Received: from hermes.CLINICOMP.COM (hermes.clinicomp.com [10.224.40.12])
	by mailout.clinicomp.com (Postfix) with ESMTP id EE4DB2287C
	for <linux-audit@redhat.com>; Mon, 18 Aug 2008 12:38:57 -0700 (PDT),
In-Reply-To: <200808181518.34373.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

(boo for me not hitting reply-all before)

Fair enough, was just basing from the man page which says:

"       To see unsuccessful open call's:

       auditctl -a exit,always -S open -F success!=0"

So am I just not understanding the man page well?   Clearly I'll have to
take your word for it, you being the maintainer for RH and all, but it
might be the man page itself causing the confusion for lots of people.
Note that I actually got the line from the DoD requirements, which give
that line - if that line isn't present, then they determine that "the
audit system is not configured to audit failed attempts to access files
and programs."

If you're curious, the linux audit requirements in the DoD are publicly
available at
http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1-13_20080715.ZIP

The specific control is defined in PDI GEN002720.  They have several
mistakes in that section (the HPUX stuff is wrong too) so I wouldn't be
remotely surprised to find there is an issue with the linux section.

And I just noticed that my example audit rules don't have the -F...on
the systems where it is a problem, the -F is there.

On Mon, 2008-08-18 at 15:18 -0400, Steve Grubb wrote:
> On Monday 18 August 2008 15:09:34 Brian LaMere wrote:
> > So...why is it that "LIST_RULES: exit,always success!=0 syscall=open"
> > doesn't disregard the successful calls? 
> 
> Because that means log the successful calls. If you only want the unsuccessful 
> calls, I'd suggest success = 0. Its easy to confuse the success field with 
> exits codes which return 0 for success. This question pops up every now and 
> again.  :)
> 
> -Steve