From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] Add End of Event record
Date: Thu, 27 Sep 2007 17:39:57 -0400
Message-ID: <200709271739.58888.sgrubb@redhat.com>
References: <200709270916.43149.sgrubb@redhat.com>
	<1190911815.15596.43.camel@finch.boston.redhat.com>
	<C482FF98AE985A47B8C982FD429C9E3401370F33@daytonmsg2k3.AERO.BALL.COM>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <C482FF98AE985A47B8C982FD429C9E3401370F33@daytonmsg2k3.AERO.BALL.COM>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Todd, Charles" <CTODD@ball.com>
List-Id: linux-audit@redhat.com

On Thursday 27 September 2007 13:18:35 Todd, Charles wrote:
> 3. Administrative records are passed, perhaps at dispatchers startup and
> at the start of a file when rotated, that documents which version of
> auditd, uname -r, output of gnu_get_libc_version(), and the local system
> date/time.

I updated the DAEMON_START record to be like this:

type=DAEMON_START msg=audit(09/27/2007 13:18:04.858:8081) : auditd start, 
ver=1.6.3 format=raw kernel=2.6.23-0.202.rc8.fc8 auid=root pid=28173 
res=success

So, 1.6.3 and later will have the kernel version & release.

-Steve