On Thursday 07 August 2008 09:39:37 Eric Paris wrote: > > When auditd is stoped, "auditctl -s" will show "pid=0". I think it's > > not correct information. It's better to tell users "auditd not started". > > We do try to keep the whole key=value pair thing in audit records.
This is for the display when you type auditctl -s and doesn't have anything to do with audit records. > I'd be willing to go with something like -1 to make it really clear, but > with the number of complaints about the inconsistencies of audit records > from people like John Dennis I'm not sure I'm a fan of this patch.... I don't think that's an issue since this is not in the records. My only concern is what this might do to our test suites. For the moment, I'm just trying to finish off what we will have in RHEL5 without changes to API that might cause any regressions in the test suites. Around the time that Fedora 11 work starts, I'd like to start making changes to clean things up and have new ideas. That time is coming soon...but not yet. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit