Typo in AUDIT_FEATURE_CHANGE events [was: Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket]
Richard Guy Briggs
rgb at redhat.com
Thu Oct 30 15:23:10 UTC 2014
On 14/10/30, Steve Grubb wrote:
> On Thursday, October 30, 2014 10:48:28 AM Richard Guy Briggs wrote:
> > On 14/10/22, Steve Grubb wrote:
> > > Speaking of which, I just found a typo in
> > > AUDIT_FEATURE_CHANGE events.
> >
> > Just so I don't lose this, what's the problem there? I don't see a
> > typo, but question the field names.
> >
> > audit_log_format(ab, "feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
>
> You need to start feature= with a space. For example, see how it gets
> appended to subj=:
>
> time->Mon Oct 27 16:11:21 2014
> type=FEATURE_CHANGE msg=audit(1414440681.713:17710): ppid=13599 pid=13618 auid=4294967295
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditctl"
> exe="/usr/sbin/auditctl" subj=system_u:system_r:auditctl_t:s0feature=loginuid_immutable old=0 new=1
> old_lock=0 new_lock=1 res=1
Got it, thanks.
> -Steve
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list