From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Found (and fixed) ausearch checkpoint bug Date: Wed, 26 Dec 2018 10:23:23 -0500 Message-ID: <2102390.3O8jnaZChK@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com, burn@swtf.dyndns.org List-Id: linux-audit@redhat.com On Saturday, December 22, 2018 6:01:43 PM EST Burn Alting wrote: > When running ausearch against a single file with the --checkpoint option, > the file's device number and inode are not recorded in the resultant > checkpoint file. > > That is for the most recent released audit package > [root@auditdtest audit-userspace]# rpm -q audit > audit-3.0-0.5.20181218gitbdb72c0.fc29.x86_64 > > We see the error via > [root@auditdtest audit-userspace]# rm -f /tmp/checkpoint.txt; ausearch > --input /var/log/audit/audit.log.2 --checkpoint /tmp/checkpoint.txt > > /dev/null; cat /tmp/checkpoint.txt > dev=0x0 > inode=0 > output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514 > > Which is incorrect. The following is correct. > [root@auditdtest audit-userspace]# rm -f > /tmp/checkpoint.txt; ./src/.libs/ausearch --input > /var/log/audit/audit.log.2 -- checkpoint /tmp/checkpoint.txt > /dev/null; > cat /tmp/checkpoint.txt dev=0xFD00 > inode=25326469 > output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514 > [root@auditdtest audit-userspace]# > > A Pull Request with the fix has been submitted on github - > https://github.com/linux-audit/audit-userspace/pull/77 Thanks for finding this and submitting the pull request. It has been applied to both branches. -Steve