audit test results on lspp.12 kernel
Loulwa Salem
loulwas at us.ibm.com
Mon Mar 20 20:51:55 UTC 2006
Linda Knippers wrote:
> Hi Steve,
>... Loulwa mentioned a case where the string is missing.
> I don't know if its really missing or just not found exactly
> as expected. Do you know if any messages were omitted as
> part of the conversion?
From what I am seeing, I was talking about the msg= field which I am
seeing is missing values ...
here is an example of what we used to see before, and what I am seeing
now with the lspp.12 kernel ...
Notice that in the first record there is a <msg=groudel> field, while in
the second record, it is <msg='op=deleting group>.
type=USER_CHAUTHTOK msg=audit(1142347489.501:5273): user pid=12084 uid=0
auid=0 msg='groupdel: op=deleting group acct=laf_z
exe="/usr/sbin/groupdel" (hostname=?, addr=?, terminal=pts/1 res=success)'
type=USER_CHAUTHTOK msg=audit(1142347489.501:5273): user pid=12084 uid=0
auid=0 msg='op=deleting group acct=laf_z exe="/usr/sbin/groupdel"
(hostname=?, addr=?, terminal=pts/1 res=success)'
- Loulwa
More information about the Linux-audit
mailing list