From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [Patch]Fix the error in the output of "auditctl -s" when auditd is stoped Date: Thu, 7 Aug 2008 09:54:30 -0400 Message-ID: <200808070954.31543.sgrubb@redhat.com> References: <005e01c8f849$27634f60$958da70a@truly> <1218116377.5837.67.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1218116377.5837.67.camel@localhost.localdomain> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: 'linux-audit' List-Id: linux-audit@redhat.com On Thursday 07 August 2008 09:39:37 Eric Paris wrote: > > =C2=A0 When auditd is stoped, "auditctl -s" will show "pid=3D0". I th= ink it's > > not correct information. It's better to tell users "auditd not starte= d". > > We do try to keep the whole key=3Dvalue pair thing in audit records. =C2= =A0 This is for the display when you type auditctl -s and doesn't have anythi= ng to=20 do with audit records. > I'd be willing to go with something like -1 to make it really clear, bu= t > with the number of complaints about the inconsistencies of audit record= s > from people like John Dennis I'm not sure I'm a fan of this patch.... I don't think that's an issue since this is not in the records. My only=20 concern is what this might do to our test suites. For the moment, I'm jus= t=20 trying to finish off what we will have in RHEL5 without changes to API th= at=20 might cause any regressions in the test suites. Around the time that Fedora 11 work starts, I'd like to start making chan= ges=20 to clean things up and have new ideas. That time is coming soon...but not= =20 yet. -Steve