Re: Found (and fixed) ausearch checkpoint bug

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com, burn@swtf.dyndns.org
Subject: Re: Found (and fixed) ausearch checkpoint bug
Date: Wed, 26 Dec 2018 10:23:23 -0500	[thread overview]
Message-ID: <2102390.3O8jnaZChK@x2> (raw)
In-Reply-To: <ffa2dd8f49bef286eeeae6bdd24ef42cf734e419.camel@swtf.dyndns.org>

On Saturday, December 22, 2018 6:01:43 PM EST Burn Alting wrote:
> When running ausearch against a single file with the --checkpoint option,
> the file's device number and inode are not recorded in the resultant
> checkpoint file.
> 
> That is for the most recent released audit package
>    [root@auditdtest audit-userspace]# rpm -q audit
>    audit-3.0-0.5.20181218gitbdb72c0.fc29.x86_64
> 
> We see the error via
>    [root@auditdtest audit-userspace]# rm -f /tmp/checkpoint.txt; ausearch
> --input /var/log/audit/audit.log.2 --checkpoint /tmp/checkpoint.txt >
> /dev/null; cat /tmp/checkpoint.txt
>    dev=0x0
>    inode=0
>    output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514
> 
> Which is incorrect. The following is correct.
>    [root@auditdtest audit-userspace]# rm -f
>    /tmp/checkpoint.txt;  ./src/.libs/ausearch --input
> /var/log/audit/audit.log.2 -- checkpoint /tmp/checkpoint.txt > /dev/null;
> cat /tmp/checkpoint.txt dev=0xFD00
>    inode=25326469
>    output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514
>    [root@auditdtest audit-userspace]#
> 
> A Pull Request with the fix has been submitted on github -
> https://github.com/linux-audit/audit-userspace/pull/77

Thanks for finding this and submitting the pull request. It has been applied 
to both branches.

-Steve

     prev parent reply	other threads:[~2018-12-26 15:23 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-22 23:01 Found (and fixed) ausearch checkpoint bug Burn Alting
2018-12-26 15:23 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2102390.3O8jnaZChK@x2 \
    --to=sgrubb@redhat.com \
    --cc=burn@swtf.dyndns.org \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox