The res field has a value of 1 instead of either success or fail
Steve Grubb
sgrubb at redhat.com
Wed Jul 20 13:17:49 UTC 2016
On Wednesday, July 20, 2016 11:25:19 AM EDT Mateusz Piotrowski wrote:
> Hello,
>
> > On 19 Jul 2016, at 12:28, Mateusz Piotrowski <0mp at freebsd.org> wrote:
> >
> > type=CONFIG_CHANGE msg=audit(1464013671.541:406): auid=1000 ses=7 op="add
> > rule" key=(null) list=4 res=1 As you can see, there is a res field which
> > value is 1.
> >
> > Is it because my auditd is outdated? Is there a missing res field which is
> > purely numeric (just like the fields called fp [3])?
No. There is inconsistency because different people do it their way without
regard for anyone who is trying to make sense of the audit trail. This is why
I have published so many specifications. I want to point to the docs and say
you have to conform. And this is also why I want to write a validation suite.
We need to find all the outliers and fix them.
-Steve
> > As Steve said in previous emails, it is possible and it might be fixed
> > already. I’ll try to find out if I get similar logs with the latest
> > auditd (2.6.5) on CentOS 6.8-i386 later.
>
> I confirm that it is possible to generate a type=CONFIG_CHANGE record with a
> res=1 field on CentOS 6.8 with auditd v2.6.5.
>
> Cheers
>
> -m
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list