Find the answer to your Linux question:
Results 1 to 3 of 3
Am I having a senior moment or is this just confusing: The auditctl man page (RHEL 4) states: Code: success If the exit value is >= 0 this is true/yes ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Enthusiast
    Join Date
    Aug 2006
    Location
    Portsmouth, UK
    Posts
    539

    auditctl - man page confusion


    Am I having a senior moment or is this just confusing:

    The auditctl man page (RHEL 4) states:

    Code:
    success     If  the exit value is >= 0 this is true/yes otherwise its false/no.
                When writing a rule, use a 1 for true/yes and a 0 for false/no
    Which to me means:

    that if the result is equal to 0 or geater, then the test was successful.
    But it also says that if the result is 0 the test failed!!

    The example at the bottom of the man page is:
    Code:
    To see unsuccessful open call's:
    
    -a exit,always -S open -F success!=0
    Which fits general 'c' type logic, non-zero something didn't work.

    I'm having this dilema becase trip(e)wire has rule that states autdit.rules must contain:

    Code:
    auditctl -a exit,always -S open -F success=0
    To catch unsucessful open attempts, which can be interpreted as correct if you read the man page text.
    However my gut feeling is that it should indeed be !=
    RHCE #100-015-395
    Please don't PM me with questions as no reply may offend, that's what the forums are for.

  2. #2
    Linux Newbie
    Join Date
    Apr 2007
    Posts
    119
    I am 99% sure that success!=0 is for failed attempts. It has been a while since I did rules though.

    Test it and see for sure?!?

  3. #3
    Linux Enthusiast
    Join Date
    Aug 2006
    Location
    Portsmouth, UK
    Posts
    539
    Hi Mark,

    I have been testing, on these RHEL 4u8 systems it appears to be logging successful opens with !=0

    I have been chatting with the package maintainer though and there might be a bug in the version I'm running. Also he suggested that the following rules were much better:

    Code:
    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-1 -F auid>=500 -F auid!=4294967295
    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-13 -F auid>=500 -F auid!=4294967295
    
    -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-1 -F auid>=500 -F auid!=4294967295
    -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-13 -F auid>=500 -F auid!=4294967295
    Use the arch=32 for 32bit systems and arch=64 on 64bit. auditd doesn't select rules according to the bitness of the OS so putting 64 bit rules on 32 bit machine and vice versa will cause rule errors rather than the wrong bitness rules being ignored.

    I'll keep posting as the mud begins to settle and things become clear
    RHCE #100-015-395
    Please don't PM me with questions as no reply may offend, that's what the forums are for.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •