From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: aulast only displaying reboot pseudo-users Date: Tue, 17 Jun 2014 12:30:13 -0400 Message-ID: <6239134.gMXMm0ujKa@x2> References: <20140605000405.687f6ad7@fornost.bigon.be> <7885595.OZveFJzaAO@x2> <20140617112601.4841004e@flatline.rdu.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20140617112601.4841004e@flatline.rdu.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, June 17, 2014 11:26:01 AM Eric Paris wrote: > On Tue, 17 Jun 2014 10:56:24 -0400 > > Steve Grubb wrote: > > On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote: > > > On Tue, 17 Jun 2014 16:09:32 +0200 > > > > > > 2) Userspace silently throws records which are 'malformed' away, > > > instead of just printing them... > > > > > > ausearch -m LOGIN should be able to display these things... > > > > It does not have a concept of completing > > search criteria and just dumping the record out. There might be > > something that can be done here, but lots a changes risks breaking > > things in subtle ways. > > I understand, but I can't imagine any customer that would want these > records silently thrown away. When grep is a more reliable tool, we're in > trouble :) Grep is not trying to make sense out of the audit trail. :-) I checked in a change that helps some, but it only fixes ausearch when loginuid is not specified. https://fedorahosted.org/audit/changeset/957 -Steve