From mboxrd@z Thu Jan  1 00:00:00 1970
From: Keith Kaple <kak@cisco.com>
Subject: open() syscall and success=0 question
Date: Tue, 13 May 2008 10:13:53 -0400
Message-ID: <20080513141353.GB4939@cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m4DEFqSe030009
	for <linux-audit@redhat.com>; Tue, 13 May 2008 10:15:52 -0400
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m4DEFdwh009177
	for <linux-audit@redhat.com>; Tue, 13 May 2008 10:15:39 -0400
Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12])
	by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m4DEFXB5016946
	for <linux-audit@redhat.com>; Tue, 13 May 2008 10:15:33 -0400
Received: from rtp-xdm-004.cisco.com (rtp-xdm-004.cisco.com [64.100.27.213])
	by rtp-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m4DEFXjk014152
	for <linux-audit@redhat.com>; Tue, 13 May 2008 14:15:33 GMT
Received: from rtp-xdm-004.cisco.com (localhost.localdomain [127.0.0.1])
	by rtp-xdm-004.cisco.com (8.13.1/8.13.1) with ESMTP id m4DEDrBj006478
	for <linux-audit@redhat.com>; Tue, 13 May 2008 10:13:53 -0400
Received: (from kak@localhost)
	by rtp-xdm-004.cisco.com (8.13.1/8.13.1/Submit) id m4DEDrgK006477
	for linux-audit@redhat.com; Tue, 13 May 2008 10:13:53 -0400
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi, I'm fairly new to auditd, I just want to make sure I understand this correctly, the "unsuccessfull opens" manpage example was recently changed from:

auditctl -a exit,always -S open -F success!=0

to

auditctl -a exit,always -S open -F success=0

The logic of 'success' is defined as:

              success     If the exit value is >= 0 this is true/yes otherwise its false/no. When writing a rule, use a 1 for true/yes and a 0 for false/no

So, for open() returning a positive number that is the file descriptor which the process will read/write from and thus success is true or 1.  When open fails, the open() manpage says it will return -1 so that will make success false or 0.  When success is false, auditd seems to use the negated value of ERRNO to populate the exit= field, is that correct?  So a rule such as:

auditctl -a exit,always -S open -F success=0 -F exit=-13 

Would log only permission related failures, correct?


thanks,

Keith


-- 
    |       |
. | | | . | | | .
    '       ' 
    C I S C O
    GGSG VoIP