* ausearch message type omissions
@ 2017-07-13 20:54 Richard Guy Briggs
2017-07-13 21:09 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Richard Guy Briggs @ 2017-07-13 20:54 UTC (permalink / raw)
To: linux-audit
Hi,
In the process of creating/updating the audit message/record type
dictionary, I stumbled on the following two message types missing from
ausearch -m text:
This one is in the userspace header file. What is its meaning and is it
a printable record?
AUDIT_DAEMON_RECONFIG,1204,Auditd should reconfigure
This was added to test if a daemon was still listening and should be
logged that an attempt was made to replace it.
AUDIT_REPLACE,1329,Replace auditd if this probe unanswerd
Thanks!
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ausearch message type omissions
2017-07-13 20:54 ausearch message type omissions Richard Guy Briggs
@ 2017-07-13 21:09 ` Steve Grubb
2017-07-13 23:14 ` Richard Guy Briggs
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2017-07-13 21:09 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
On Thursday, July 13, 2017 4:54:39 PM EDT Richard Guy Briggs wrote:
> In the process of creating/updating the audit message/record type
> dictionary, I stumbled on the following two message types missing from
> ausearch -m text:
>
> This one is in the userspace header file. What is its meaning and is it
> a printable record?
>
> AUDIT_DAEMON_RECONFIG,1204,Auditd should reconfigure
This is an internal only message that never gets written to disk. This gets
changed into DAEMON_CONFIG and that is what is on-disk.
> This was added to test if a daemon was still listening and should be
> logged that an attempt was made to replace it.
>
> AUDIT_REPLACE,1329,Replace auditd if this probe unanswerd
These are discarded.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ausearch message type omissions
2017-07-13 21:09 ` Steve Grubb
@ 2017-07-13 23:14 ` Richard Guy Briggs
0 siblings, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2017-07-13 23:14 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On 2017-07-13 17:09, Steve Grubb wrote:
> On Thursday, July 13, 2017 4:54:39 PM EDT Richard Guy Briggs wrote:
> > In the process of creating/updating the audit message/record type
> > dictionary, I stumbled on the following two message types missing from
> > ausearch -m text:
> >
> > This one is in the userspace header file. What is its meaning and is it
> > a printable record?
> >
> > AUDIT_DAEMON_RECONFIG,1204,Auditd should reconfigure
>
> This is an internal only message that never gets written to disk. This gets
> changed into DAEMON_CONFIG and that is what is on-disk.
Good, perfect, I'll ignore.
> > This was added to test if a daemon was still listening and should be
> > logged that an attempt was made to replace it.
> >
> > AUDIT_REPLACE,1329,Replace auditd if this probe unanswerd
>
> These are discarded.
Good, ignore again. Just checking. :-)
> -Steve
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-07-13 23:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-13 20:54 ausearch message type omissions Richard Guy Briggs
2017-07-13 21:09 ` Steve Grubb
2017-07-13 23:14 ` Richard Guy Briggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.