Re: ausearch message type omissions
On 2017-07-13 17:09, Steve Grubb wrote:
On Thursday, July 13, 2017 4:54:39 PM EDT Richard Guy Briggs wrote:
> In the process of creating/updating the audit message/record type
> dictionary, I stumbled on the following two message types missing from
> ausearch -m text:
>
> This one is in the userspace header file. What is its meaning and is it
> a printable record?
>
> AUDIT_DAEMON_RECONFIG,1204,Auditd should reconfigure
This is an internal only message that never gets written to disk. This gets
changed into DAEMON_CONFIG and that is what is on-disk.
Good, perfect, I'll ignore.
> This was added to test if a daemon was still listening and
should be
> logged that an attempt was made to replace it.
>
> AUDIT_REPLACE,1329,Replace auditd if this probe unanswerd
These are discarded.
Good, ignore again. Just checking. :-)
-Steve
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635