From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH 1/2] fix a bug that use option '-r' cannot output all
	unformatted logs
Date: Fri, 15 Aug 2008 14:04:32 -0400
Message-ID: <200808151404.33089.sgrubb@redhat.com>
References: <488EAD35.8000404@cn.fujitsu.com>
	<200807290838.18033.sgrubb@redhat.com>
	<488FBEA5.4080900@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <488FBEA5.4080900@cn.fujitsu.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Peng Haitao <penght@cn.fujitsu.com>
Cc: audit-list <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tuesday 29 July 2008 21:06:45 Peng Haitao wrote:
> When the watched file is deleted or renamed, the log will be made.
> You can get the result by following steps:
>
> 1. # service auditd start
> 2. # touch temp_file
> 3. # auditctl -w `pwd`/temp_file -k temp_file
> 4. # rm -f temp_file
>
> /var/log/audit/audit.log will contain:
> node=3DRHEL5.2GA type=3DCONFIG_CHANGE msg=3Daudit(1217551948.386:97101)=
:
> op=3Dupdated rules specifying path=3D"/home/pht/temp_file" with dev=3D4=
294967295
> ino=3D4294967295 =C2=A0list=3D0 res=3D1

I am applying a patch that will allow parsing for missing auid fields in=20
CONFIG_CHANGE records. I think that is the only loose end to tie up on th=
is=20
bug report.

-Steve