Found (and fixed) ausearch checkpoint bug
Burn Alting
burn at swtf.dyndns.org
Sat Dec 22 23:01:43 UTC 2018
When running ausearch against a single file with the --checkpoint option, the file's
device number and inode are not recorded in the resultant checkpoint file.
That is for the most recent released audit package
[root at auditdtest audit-userspace]# rpm -q audit
audit-3.0-0.5.20181218gitbdb72c0.fc29.x86_64
We see the error via
[root at auditdtest audit-userspace]# rm -f /tmp/checkpoint.txt; ausearch --input
/var/log/audit/audit.log.2 --checkpoint /tmp/checkpoint.txt > /dev/null; cat
/tmp/checkpoint.txt
dev=0x0
inode=0
output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514
Which is incorrect. The following is correct.
[root at auditdtest audit-userspace]# rm -f
/tmp/checkpoint.txt; ./src/.libs/ausearch --input /var/log/audit/audit.log.2 --
checkpoint /tmp/checkpoint.txt > /dev/null; cat /tmp/checkpoint.txt
dev=0xFD00
inode=25326469
output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514
[root at auditdtest audit-userspace]#
A Pull Request with the fix has been submitted on github -
https://github.com/linux-audit/audit-userspace/pull/77
Regards
Burn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20181223/ccbf27ec/attachment.htm>
More information about the Linux-audit
mailing list