[PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs
Peng Haitao
penght at cn.fujitsu.com
Wed Jul 30 01:06:45 UTC 2008
> All records must have auid. That is part of the requirements besides date,
> time, what happened, and what was the results.
When the watched file is deleted or renamed, the log will be made.
You can get the result by following steps:
1. # service auditd start
2. # touch temp_file
3. # auditctl -w `pwd`/temp_file -k temp_file
4. # rm -f temp_file
/var/log/audit/audit.log will contain:
node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217551948.386:97101): op=updated rules specifying path="/home/pht/temp_file" with dev=4294967295 ino=4294967295 list=0 res=1
> If that record is missing
> auid, we need to patch the kernel.
>
> -Steve
>
>
--
Regards
Peng Haitao
--------------------------------------------------
Peng Haitao
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
8/F., Civil Defense Building, No.189 Guangzhou Road,
Nanjing, 210029, China
TEL: +86+25-86630566-837
FUJITSU INTERNAL: 79955-837
FAX: +86+25-83317685
EMail: penght at cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not an intended recipient of this communication, you are hereby notified that any dissemination, distribution or copying hereof is strictly prohibited. If you have received this communication in error, please notify me by reply e-mail, permanently delete this communication from your system, and destroy any hard copies you may have printed
More information about the Linux-audit
mailing list