From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Double addition of rule yields two log messages
Date: Fri, 19 May 2006 14:29:18 -0400
Message-ID: <200605191429.18451.sgrubb@redhat.com>
References: <446DE295.8040503@us.ibm.com> <446E0323.4030905@us.ibm.com>
	<446E0925.1000400@hp.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <446E0925.1000400@hp.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 19 May 2006 14:06, Linda Knippers wrote:
> Wow, not very intuitive. =A0The auditctl manpage talks about lists
> by name (entry, exclude, etc), not by number. =A0

The man pages don't ever talk about the numbers that are behind any of th=
is.

> With the 1.2.1 tools ausearch with the '-i' option doesn't translate th=
e
> number into a name.=20

Right.

> Does it with the 1.2.2 tools?=20

No. I have not had time to work on user space tools. The intent is to mak=
e it=20
do that with the -i param.

> Speaking of ausearch, I just noticed that it emits this message:
>
> # /sbin/ausearch -m CONFIG_CHANGE -i
> Warning - freq is non-zero and incremental flushing not selected.

That comes from the config file parser. You've got a problem=20
in /etc/audit/auditd.conf that should be fixed.

-Steve