auditctl - man page confusion
Am I having a senior moment or is this just confusing:
The auditctl man page (RHEL 4) states:
Which to me means:
success If the exit value is >= 0 this is true/yes otherwise its false/no.
When writing a rule, use a 1 for true/yes and a 0 for false/no
that if the result is equal to 0 or geater, then the test was successful.
But it also says that if the result is 0 the test failed!!
The example at the bottom of the man page is:
Which fits general 'c' type logic, non-zero something didn't work.
To see unsuccessful open call's:
-a exit,always -S open -F success!=0
I'm having this dilema becase trip(e)wire has rule that states autdit.rules must contain:
To catch unsucessful open attempts, which can be interpreted as correct if you read the man page text.
auditctl -a exit,always -S open -F success=0
However my gut feeling is that it should indeed be !=