Re: Typo in AUDIT_FEATURE_CHANGE events [was: Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket]
On Thursday, October 30, 2014 10:48:28 AM Richard Guy Briggs wrote:
On 14/10/22, Steve Grubb wrote:
> Speaking of which, I just found a typo in
> AUDIT_FEATURE_CHANGE events.
Just so I don't lose this, what's the problem there? I don't see a
typo, but question the field names.
audit_log_format(ab, "feature=%s old=%u new=%u old_lock=%u new_lock=%u
res=%d",
You need to start feature= with a space. For example, see how it gets
appended to subj=:
time->Mon Oct 27 16:11:21 2014
type=FEATURE_CHANGE msg=audit(1414440681.713:17710): ppid=13599 pid=13618
auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="auditctl"
exe="/usr/sbin/auditctl"
subj=system_u:system_r:auditctl_t:s0feature=loginuid_immutable old=0 new=1
old_lock=0 new_lock=1 res=1
-Steve