Found (and fixed) ausearch checkpoint bug
Steve Grubb
sgrubb at redhat.com
Wed Dec 26 15:23:23 UTC 2018
On Saturday, December 22, 2018 6:01:43 PM EST Burn Alting wrote:
> When running ausearch against a single file with the --checkpoint option,
> the file's device number and inode are not recorded in the resultant
> checkpoint file.
>
> That is for the most recent released audit package
> [root at auditdtest audit-userspace]# rpm -q audit
> audit-3.0-0.5.20181218gitbdb72c0.fc29.x86_64
>
> We see the error via
> [root at auditdtest audit-userspace]# rm -f /tmp/checkpoint.txt; ausearch
> --input /var/log/audit/audit.log.2 --checkpoint /tmp/checkpoint.txt >
> /dev/null; cat /tmp/checkpoint.txt
> dev=0x0
> inode=0
> output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514
>
> Which is incorrect. The following is correct.
> [root at auditdtest audit-userspace]# rm -f
> /tmp/checkpoint.txt; ./src/.libs/ausearch --input
> /var/log/audit/audit.log.2 -- checkpoint /tmp/checkpoint.txt > /dev/null;
> cat /tmp/checkpoint.txt dev=0xFD00
> inode=25326469
> output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514
> [root at auditdtest audit-userspace]#
>
> A Pull Request with the fix has been submitted on github -
> https://github.com/linux-audit/audit-userspace/pull/77
Thanks for finding this and submitting the pull request. It has been applied
to both branches.
-Steve
More information about the Linux-audit
mailing list