Hi, I was just doing some validation work to make sure the newly converted ausearch is producing the exact same output as it used to...and found a couple items that needs patching.
1) AUDIT_TTY events are not recording a subject field. 2) AVC records can sometimes have dev="md1". The dev field is documented as being the numeric device number. Cases like this should be changed to "devname" which can be encoded. 3) We might need a supplemental record for *setxattr. The flags field is the fifth argument and not recorded anywhere. Thanks, -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit