[PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs
Steve Grubb
sgrubb at redhat.com
Fri Aug 15 18:04:32 UTC 2008
On Tuesday 29 July 2008 21:06:45 Peng Haitao wrote:
> When the watched file is deleted or renamed, the log will be made.
> You can get the result by following steps:
>
> 1. # service auditd start
> 2. # touch temp_file
> 3. # auditctl -w `pwd`/temp_file -k temp_file
> 4. # rm -f temp_file
>
> /var/log/audit/audit.log will contain:
> node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217551948.386:97101):
> op=updated rules specifying path="/home/pht/temp_file" with dev=4294967295
> ino=4294967295 list=0 res=1
I am applying a patch that will allow parsing for missing auid fields in
CONFIG_CHANGE records. I think that is the only loose end to tie up on this
bug report.
-Steve
More information about the Linux-audit
mailing list