Hi Steve, When auditd is stoped, "auditctl -s" will show "pid=0". I think it's not correct information. It's better to tell users "auditd not started".
Signed-off-by: Chu Li <[EMAIL PROTECTED]> --- diff --git a/src/auditctl.c b/src/auditctl.c index 10894f9..b26dd82 100755 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -1411,12 +1411,15 @@ static int audit_print_reply(struct audit_reply *rep) printed = 1; return 0; case AUDIT_GET: - printf("AUDIT_STATUS: enabled=%d flag=%d pid=%d" - " rate_limit=%d backlog_limit=%d lost=%d backlog=%u\n", + printf("AUDIT_STATUS: enabled=%d flag=%d" + " rate_limit=%d backlog_limit=%d lost=%d backlog=%u ", rep->status->enabled, rep->status->failure, - rep->status->pid, rep->status->rate_limit, - rep->status->backlog_limit, rep->status->lost, - rep->status->backlog); + rep->status->rate_limit, rep->status->backlog_limit, + rep->status->lost, rep->status->backlog); + if(rep->status->pid != 0) + printf("pid=%d\n", rep->status->pid); + else + printf("auditd_not_started\n"); printed = 1; return 0; case AUDIT_LIST: Regards Chu Li -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit