From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: Typo in AUDIT_FEATURE_CHANGE events [was: Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket] Date: Thu, 30 Oct 2014 11:23:10 -0400 Message-ID: <20141030152310.GU20866@madcap2.tricolour.ca> References: <30ef5c1ba42b52953e5684a0322975c3f0fadc77.1412706089.git.rgb@redhat.com> <6013946.Aa2tVyN0OT@x2> <20141030144828.GO26201@madcap2.tricolour.ca> <2070668.zxhTMm9uh7@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <2070668.zxhTMm9uh7@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 14/10/30, Steve Grubb wrote: > On Thursday, October 30, 2014 10:48:28 AM Richard Guy Briggs wrote: > > On 14/10/22, Steve Grubb wrote: > > > Speaking of which, I just found a typo in > > > AUDIT_FEATURE_CHANGE events. > > > > Just so I don't lose this, what's the problem there? I don't see a > > typo, but question the field names. > > > > audit_log_format(ab, "feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", > > You need to start feature= with a space. For example, see how it gets > appended to subj=: > > time->Mon Oct 27 16:11:21 2014 > type=FEATURE_CHANGE msg=audit(1414440681.713:17710): ppid=13599 pid=13618 auid=4294967295 > uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditctl" > exe="/usr/sbin/auditctl" subj=system_u:system_r:auditctl_t:s0feature=loginuid_immutable old=0 new=1 > old_lock=0 new_lock=1 res=1 Got it, thanks. > -Steve - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545