From mboxrd@z Thu Jan 1 00:00:00 1970 From: Keith Kaple Subject: Re: open() syscall and success=0 question Date: Tue, 13 May 2008 10:36:58 -0400 Message-ID: <20080513143657.GC4939@cisco.com> References: <20080513141353.GB4939@cisco.com> <200805131024.42025.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <200805131024.42025.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Thanks Steve, Can you ellaborate a little on EPERM vs. EACCES? Say a normal user tries to cp /etc/passwd and gets "permission denied" in the shell, will exit=-EPERM or -EACCESS? I assume there will be an entry for both if perhaps success=0 alone is used.. Keith On Tue, May 13, 2008 at 10:24:41AM -0400, Steve Grubb wrote: > On Tuesday 13 May 2008 10:13:53 Keith Kaple wrote: > > When open fails, the open() manpage says it will return -1 so that will make > > success false or 0. When success is false, auditd seems to use the negated > > value of ERRNO to populate the exit= field, is that correct? > > This is actually done by the kernel, not auditd. But you are correct. > > > So a rule such as: > > > > auditctl -a exit,always -S open -F success=0 -F exit=-13 > > > > Would log only permission related failures, correct? > > Correct. But that can be reduced to: > > auditctl -a exit,always -S open -F exit=-EPERM > > Syscall rules affect every single syscall made by every program. So, you want > the rule to be efficient. In this case, checking the success field is > redundant. > > -Steve -- | | . | | | . | | | . ' ' C I S C O GGSG VoIP