[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs

> All records must have auid. That is part of the requirements besides date, 
> time, what happened, and what was the results. 

When the watched file is deleted or renamed, the log will be made.
You can get the result by following steps:

1. # service auditd start
2. # touch temp_file
3. # auditctl -w `pwd`/temp_file -k temp_file
4. # rm -f temp_file

/var/log/audit/audit.log will contain:
node=RHEL5.2GA type=CONFIG_CHANGE msg=audit(1217551948.386:97101): op=updated rules specifying path="/home/pht/temp_file" with dev=4294967295 ino=4294967295  list=0 res=1

> If that record is missing 
> auid, we need to patch the kernel.
> -Steve

Peng Haitao
Peng Haitao
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
8/F., Civil Defense Building, No.189 Guangzhou Road,
Nanjing, 210029, China 
TEL: +86+25-86630566-837
FAX: +86+25-83317685
EMail: penght cn fujitsu com
This communication is for use by the intended recipient(s) only and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not an intended recipient of this communication, you are hereby notified that any dissemination, distribution or copying hereof is strictly prohibited.  If you have received this communication in error, please notify me by reply e-mail, permanently delete this communication from your system, and destroy any hard copies you may have printed

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]