The res field has a value of 1 instead of either success or fail
Mateusz Piotrowski
0mp at FreeBSD.org
Wed Jul 20 09:25:19 UTC 2016
Hello,
> On 19 Jul 2016, at 12:28, Mateusz Piotrowski <0mp at freebsd.org> wrote:
>
> type=CONFIG_CHANGE msg=audit(1464013671.541:406): auid=1000 ses=7 op="add rule" key=(null) list=4 res=1
> As you can see, there is a res field which value is 1.
>
> Is it because my auditd is outdated? Is there a missing res field which is purely numeric (just like the fields called fp [3])?
>
> As Steve said in previous emails, it is possible and it might be fixed already. I’ll try to find out if I get similar logs with the latest auditd (2.6.5) on CentOS 6.8-i386 later.
I confirm that it is possible to generate a type=CONFIG_CHANGE record with a res=1 field on CentOS 6.8 with auditd v2.6.5.
Cheers
-m
More information about the Linux-audit
mailing list