[Patch]Fix the error in the output of "auditctl -s" when auditd is stoped

[Patch]Fix the error in the output of "auditctl -s" when auditd is stoped

[Chu Li]

Hi Steve,
  When auditd is stoped, "auditctl -s" will show "pid=0". I think it's not
correct information. It's better to tell users "auditd not started".

Signed-off-by: Chu Li <chul@cn.fujitsu.com>
---
diff --git a/src/auditctl.c b/src/auditctl.c
index 10894f9..b26dd82 100755
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -1411,12 +1411,15 @@ static int audit_print_reply(struct audit_reply *rep)
 			printed = 1;
 			return 0;
 		case AUDIT_GET:
-			printf("AUDIT_STATUS: enabled=%d flag=%d pid=%d"
-			" rate_limit=%d backlog_limit=%d lost=%d backlog=%u\n",
+			printf("AUDIT_STATUS: enabled=%d flag=%d"
+			" rate_limit=%d backlog_limit=%d lost=%d backlog=%u ",
 			rep->status->enabled, rep->status->failure,
-			rep->status->pid, rep->status->rate_limit,
-			rep->status->backlog_limit, rep->status->lost,
-			rep->status->backlog);
+			rep->status->rate_limit, rep->status->backlog_limit,
+			rep->status->lost, rep->status->backlog);
+			if(rep->status->pid != 0)
+				printf("pid=%d\n", rep->status->pid);
+			else
+				printf("auditd_not_started\n");
 			printed = 1;
 			return 0;
 		case AUDIT_LIST:

Regards
Chu Li

Re: [Patch]Fix the error in the output of "auditctl -s" when auditd is stoped

[Eric Paris]

On Thu, 2008-08-07 at 12:50 +0800, Chu Li wrote:
> Hi Steve,
>   When auditd is stoped, "auditctl -s" will show "pid=0". I think it's not
> correct information. It's better to tell users "auditd not started".

We do try to keep the whole key=value pair thing in audit records.  I'd
be willing to go with something like -1 to make it really clear, but
with the number of complaints about the inconsistencies of audit records
from people like John Dennis I'm not sure I'm a fan of this patch....

-Eric

> Signed-off-by: Chu Li <chul@cn.fujitsu.com>
> ---
> diff --git a/src/auditctl.c b/src/auditctl.c
> index 10894f9..b26dd82 100755
> --- a/src/auditctl.c
> +++ b/src/auditctl.c
> @@ -1411,12 +1411,15 @@ static int audit_print_reply(struct audit_reply *rep)
>  			printed = 1;
>  			return 0;
>  		case AUDIT_GET:
> -			printf("AUDIT_STATUS: enabled=%d flag=%d pid=%d"
> -			" rate_limit=%d backlog_limit=%d lost=%d backlog=%u\n",
> +			printf("AUDIT_STATUS: enabled=%d flag=%d"
> +			" rate_limit=%d backlog_limit=%d lost=%d backlog=%u ",
>  			rep->status->enabled, rep->status->failure,
> -			rep->status->pid, rep->status->rate_limit,
> -			rep->status->backlog_limit, rep->status->lost,
> -			rep->status->backlog);
> +			rep->status->rate_limit, rep->status->backlog_limit,
> +			rep->status->lost, rep->status->backlog);
> +			if(rep->status->pid != 0)
> +				printf("pid=%d\n", rep->status->pid);
> +			else
> +				printf("auditd_not_started\n");
>  			printed = 1;
>  			return 0;
>  		case AUDIT_LIST:
> 
> Regards
> Chu Li
> 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: [Patch]Fix the error in the output of "auditctl -s" when auditd is stoped

[Steve Grubb]

On Thursday 07 August 2008 09:39:37 Eric Paris wrote:
> >   When auditd is stoped, "auditctl -s" will show "pid=0". I think it's
> > not correct information. It's better to tell users "auditd not started".
>
> We do try to keep the whole key=value pair thing in audit records.  

This is for the display when you type auditctl -s and doesn't have anything to 
do with audit records.


> I'd be willing to go with something like -1 to make it really clear, but
> with the number of complaints about the inconsistencies of audit records
> from people like John Dennis I'm not sure I'm a fan of this patch....

I don't think that's an issue since this is not in the records. My only 
concern is what this might do to our test suites. For the moment, I'm just 
trying to finish off what we will have in RHEL5 without changes to API that 
might cause any regressions in the test suites.

Around the time that Fedora 11 work starts, I'd like to start making changes 
to clean things up and have new ideas. That time is coming soon...but not 
yet.

-Steve

Re: [Patch]Fix the error in the output of "auditctl -s" when auditd is stoped

[John Dennis]

[-- Attachment #1.1: Type: text/plain, Size: 1086 bytes --]

Eric Paris wrote:
> On Thu, 2008-08-07 at 12:50 +0800, Chu Li wrote:
>   
>> Hi Steve,
>>   When auditd is stoped, "auditctl -s" will show "pid=0". I think it's not
>> correct information. It's better to tell users "auditd not started".
>>     
>
> We do try to keep the whole key=value pair thing in audit records.  I'd
> be willing to go with something like -1 to make it really clear, but
> with the number of complaints about the inconsistencies of audit records
> from people like John Dennis I'm not sure I'm a fan of this patch....
>   
Thank you Eric! We should be moving toward consistent formatting of 
audit records and one of the most important consistencies to achieve if 
we do modify the records is that all data is in the form of key=value. 
Embedding random strings into records makes parsing difficult especially 
when the record format varies by kernel version, which this patch would 
do (at least the proposed string didn't contain any embedded spaces!)

NAK to this patch.

I think Eric's suggestion of pid=-1 is a good one.

-- 
John Dennis <jdennis@redhat.com>


[-- Attachment #1.2: Type: text/html, Size: 1639 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: [Patch]Fix the error in the output of "auditctl -s" when auditd is stoped

[Steve Grubb]

On Thursday 07 August 2008 00:50:45 Chu Li wrote:
>   When auditd is stoped, "auditctl -s" will show "pid=0". I think it's not
> correct information. It's better to tell users "auditd not started".

At the moment, I don't want to change this behavior. In about a month, I think 
we can make updates that change the external behavior. If you want, we can 
document this better in man pages that audit pid of 0 means its not running.

Thanks,
-Steve

RE: [Patch]Fix the error in the output of "auditctl -s" when auditd is stoped

[Chu Li]

Hi Steve,
> we can make updates that change the external behavior. If you want, we can
> document this better in man pages that audit pid of 0 means its not running.
  I agree with it. At least it's necessary to add some simple explanation about 
"pid=0" in the manual.

Regards
Chu Li
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Friday, August 08, 2008 5:02 AM
> To: Chu Li
> Cc: 'linux-audit'
> Subject: Re: [Patch]Fix the error in the output of "auditctl -s" when auditd is
> stoped
>
> On Thursday 07 August 2008 00:50:45 Chu Li wrote:
> >   When auditd is stoped, "auditctl -s" will show "pid=0". I think it's not
> > correct information. It's better to tell users "auditd not started".
>
> At the moment, I don't want to change this behavior. In about a month, I think
> we can make updates that change the external behavior. If you want, we can
> document this better in man pages that audit pid of 0 means its not running.
>
> Thanks,
> -Steve