From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: [Patch]Fix the error in the output of "auditctl -s" when
	auditd is stoped
Date: Thu, 07 Aug 2008 09:39:37 -0400
Message-ID: <1218116377.5837.67.camel@localhost.localdomain>
References: <005e01c8f849$27634f60$958da70a@truly>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <005e01c8f849$27634f60$958da70a@truly>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Chu Li <chul@cn.fujitsu.com>
Cc: 'linux-audit' <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Thu, 2008-08-07 at 12:50 +0800, Chu Li wrote:
> Hi Steve,
>   When auditd is stoped, "auditctl -s" will show "pid=0". I think it's not
> correct information. It's better to tell users "auditd not started".

We do try to keep the whole key=value pair thing in audit records.  I'd
be willing to go with something like -1 to make it really clear, but
with the number of complaints about the inconsistencies of audit records
from people like John Dennis I'm not sure I'm a fan of this patch....

-Eric

> Signed-off-by: Chu Li <chul@cn.fujitsu.com>
> ---
> diff --git a/src/auditctl.c b/src/auditctl.c
> index 10894f9..b26dd82 100755
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -1411,12 +1411,15 @@ static int audit_print_reply(struct audit_reply *rep)
>  			printed = 1;
>  			return 0;
>  		case AUDIT_GET:
> -			printf("AUDIT_STATUS: enabled=%d flag=%d pid=%d"
> -			" rate_limit=%d backlog_limit=%d lost=%d backlog=%u\n",
> +			printf("AUDIT_STATUS: enabled=%d flag=%d"
> +			" rate_limit=%d backlog_limit=%d lost=%d backlog=%u ",
>  			rep->status->enabled, rep->status->failure,
> -			rep->status->pid, rep->status->rate_limit,
> -			rep->status->backlog_limit, rep->status->lost,
> -			rep->status->backlog);
> +			rep->status->rate_limit, rep->status->backlog_limit,
> +			rep->status->lost, rep->status->backlog);
> +			if(rep->status->pid != 0)
> +				printf("pid=%d\n", rep->status->pid);
> +			else
> +				printf("auditd_not_started\n");
>  			printed = 1;
>  			return 0;
>  		case AUDIT_LIST:
> 
> Regards
> Chu Li
> 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit