From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Bhagwat, Shriniketan Manjunath" Subject: RE: Audit reporting Invalid argument Date: Thu, 19 May 2016 03:37:09 +0000 Message-ID: <8FC6AD31395616439ECBCD98E071A87F4BF1CE64@G9W0745.americas.hpqcorp.net> References: <8FC6AD31395616439ECBCD98E071A87F4BF14ED7@G4W3202.americas.hpqcorp.net> <1581661.ndI2rhVsuG@x2> <8FC6AD31395616439ECBCD98E071A87F4BF15630@G4W3202.americas.hpqcorp.net> <1956741.kKb8qJBsiM@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1956741.kKb8qJBsiM@x2> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com Thanks Steve and Richard for your response. I will provide the fix soon. Regards, Ketan -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Monday, May 16, 2016 6:24 PM To: Bhagwat, Shriniketan Manjunath Cc: linux-audit@redhat.com Subject: Re: Audit reporting Invalid argument On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote: > > Not today. The check for uid 0 is a poor man's check for > > CAP_AUDIT_CONTROL > > Are there any future plans to support enabling audit from non root > user using CAP_AUDIT_CONTROL? You are the only person who has asked for it. I suppose it can be done in a couple lines of code. But you still have the permissions of the directories that hold the rules to correct. Easy to fix, but I think you might be fighting the distribution's package manager which would set things back to root every update. > Regarding suppression of events, I will do some testing and let you > know later. > > Is there a way I can avoid default logging of the audit events to > /var/log/audit/audit.log? If you have an old copy old the audit system (2.5.1 or earlier) then use log_format = NOLOG. If you have a current copy, then use write_logs = no. -Steve > I do not want audit to log audit events to audit.log, however I will > capture them using my plug-in. Is there a way I can accomplish this? I > tried to commenting the log_file filed from auditd.conf, however the > events are still written to audit.log. I think below code from > auditd-config.c is causing audit to write to audit.log > > config->log_file = strdup("/var/log/audit/audit.log");