Re: [PATCH] audit tools: add filterkey support

I have applied the filterkey patch to audit 1.2.3-1 and am receiving some strange dispatch events. Look at the auid below: Jun 26 08:42:58 otslab11 user_actions[2559]: type=1300, payload size=283 Jun 26 08:42:58 otslab11 user_actions[2559]: data="audit(1151325777.277:54): arch=40000003 syscall=5 success=yes exit=3 a0=bfea0c58 a1=8000 a2=0 a3=8000 items=1 ppid=2329 pid=2578 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="cat" exe="/bin/cat" subj=user_u:system_r:unconfined_t:s0 key=(null)" Jun 26 08:42:58 otslab11 user_actions[2559]: type=1307, payload size=38 Jun 26 08:42:58 otslab11 user_actions[2559]: data="audit(1151325777.277:54): cwd="/root"" Jun 26 08:42:58 otslab11 user_actions[2559]: type=1302, payload size=146 Jun 26 08:42:58 otslab11 user_actions[2559]: data="audit(1151325777.277:54): item=0 name="/tmp/test.c" inode=5358299 dev=03:02 mode=0100666 ouid=500 ogid=500 rdev=00:00 obj=user_u:object_r:tmp_t:s0" I haven't determined how to assign a key to a rule yet (maybe that is part of the problem). I am using the 2.6.17-1.2293.2.2_FC6.lspp.38.i686 kernel. Steve