2

The aureport command has two options that limit the list of displayed events to those that were successful and those that failed. Per the man page:

   --failed
          Only select failed events for processing in the reports. The default is both success and failed events.
   --success
          Only select successful events for processing in the reports. The default is both success and failed events.

What does this mean? Is the failure/success with regard to the actual event (e.g., a syscall that returned non-zero) or does the failure/success apply to auditd and whether or not there was an issue in processing the event?

Christopher Neylan
  • 477
  • 5
  • 13

1 Answers1

0

According to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/app-Audit_Reference.html#sec-Audit_Events_Fields:

success Records whether a system call was successful or failed.

The same guide provides a quick walkthrough of an auditd event, https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html.

success=no The success field records whether the system call recorded in that particular event succeeded or failed. In this case, the call did not succeed.

However, other events can also be considered failures, such as events where the res field is failed (e.g. USER_LOGIN or CRYPTO_KEY_USER)

res Records the result of the operation that triggered the Audit event.

You can also get a sense of what these events are by running:

sudo aureport -i --failed -e

That will give you a sense of types of calls/events that are covered, and those (on my system at least) are not just SYSCALLs, but other events (such as the previously mentionned USER_LOGIN, for example).

iwaseatenbyagrue
  • 3,588
  • 12
  • 22