From mboxrd@z Thu Jan  1 00:00:00 1970
From: Brian LaMere <brianl@clinicomp.com>
Subject: Re: no logging of successful events?
Date: Mon, 18 Aug 2008 12:49:36 -0700
Message-ID: <1219088976.6522.29.camel@orpheus.clinicomp.com>
References: <1219086574.6522.8.camel@orpheus.clinicomp.com>
	<200808181518.34373.sgrubb@redhat.com>
	<1219087523.15566.111.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1219087523.15566.111.camel@localhost.localdomain>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

was using a slightly older manpage, which doesn't include that helpful
clarification :)

Brian

On Mon, 2008-08-18 at 15:25 -0400, Eric Paris wrote:
> On Mon, 2008-08-18 at 15:18 -0400, Steve Grubb wrote:
> > On Monday 18 August 2008 15:09:34 Brian LaMere wrote:
> > > So...why is it that "LIST_RULES: exit,always success!=0 syscall=open"
> > > doesn't disregard the successful calls? 
> > 
> > Because that means log the successful calls. If you only want the unsuccessful 
> > calls, I'd suggest success = 0. Its easy to confuse the success field with 
> > exits codes which return 0 for success. This question pops up every now and 
> > again.  :)
> 
> Isn't that why man auditctl talks about success=no and success=yes?  So you don't have to remember?
>