From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: minor rule questions Date: Thu, 8 May 2008 13:29:21 -0400 Message-ID: <200805081329.21502.sgrubb@redhat.com> References: <1210266852.6610.39.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mail.boston.redhat.com (mail.boston.redhat.com [10.16.255.12]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m48HTtvL027614 for ; Thu, 8 May 2008 13:29:56 -0400 Received: from vpn-10-72.bos.redhat.com (vpn-10-72.bos.redhat.com [10.16.10.72]) by mail.boston.redhat.com (8.13.1/8.13.1) with ESMTP id m48HTnoc016792 for ; Thu, 8 May 2008 13:29:55 -0400 In-Reply-To: <1210266852.6610.39.camel@homeserver> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 08 May 2008 13:14:12 LC Bruzenak wrote: > MINOR: It appears that there needs to be a space between the "key=3Dxxx= " > and "list=3DN" results from "ausearch -i -ts today": Thanks, added to the TODO file. > I'm sure this one is on startup when the audit.rules file is parsed and > the auditctls all happen.=20 Looks like its from the interpret option of ausearch. > And what does the "list=3DN" part represent?=20 The kernel filter list that the rule was added to.=20 > Would it be the following (i.e. exit): > #define AUDIT_FILTER_EXIT =C2=A0 =C2=A0 =C2=A0 0x04 =C2=A0 =C2=A0/* App= ly rule at syscall exit */ Yes. -Steve