From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve <m6x@ornl.gov>
Subject: Re: [PATCH] audit tools: add filterkey support
Date: Mon, 26 Jun 2006 08:57:33 -0400
Message-ID: <449FD9BD.2040700@ornl.gov>
References: <20060614224910.GB2268@zk3.dec.com> <449FD7C3.6040700@ornl.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k5QCvgk3004532
	for <linux-audit@redhat.com>; Mon, 26 Jun 2006 08:57:42 -0400
Received: from emroute1.ornl.gov (emroute1.ornl.gov [160.91.4.119])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k5QCvggg008235
	for <linux-audit@redhat.com>; Mon, 26 Jun 2006 08:57:42 -0400
Received: from emroute1.ornl.gov (localhost [127.0.0.1])
	by emroute1.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J1G00C12XBZQH@emroute1.ornl.gov> for
	linux-audit@redhat.com; Mon, 26 Jun 2006 08:57:36 -0400 (EDT)
Received: from ORNLEXCHANGE.ornl.gov (ornlexchange2.ornl.gov [160.91.1.22])
	by emroute1.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J1G007AFXBZ0Z@emroute1.ornl.gov> for
	linux-audit@redhat.com; Mon, 26 Jun 2006 08:57:35 -0400 (EDT)
In-reply-to: <449FD7C3.6040700@ornl.gov>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

> I haven't determined how to assign a key to a rule yet (maybe that is 
> part of the problem).

I was able to assign a key using filterkey=MY_RULE_0 and the auid is 
still off.

data="audit(1151326486.828:62): arch=40000003 syscall=195 success=yes 
exit=0 a0=9b09080 a1=806a760 a2=8f1ff4 a3=0 items=1 ppid=2329 pid=2696 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts1 comm="nano" exe="/usr/bin/nano" 
subj=user_u:system_r:unconfined_t:s0 key="MY_RULE_0""

Steve