On Thursday 05 April 2007 15:21:35 Tom Lendacky wrote: > When stopping and starting the audit daemon I noticed that the > DAEMON_END audit record contains a subject field. However, > ausearch does not find the record when you perform a search for the > subject. Shouldn't ausearch be able to find the record if it > contains a subject?
Yes, it should. I guess we need a bz filed. > The DAEMON_START audit record doesn't contain a subject and this seems a > little bit inconsistent. The audit daemon isn't linked with libselinux. The stop message subject is collected by the kernel, but there simply is no mechanism for that on startup short of linking libselinux and calling one of its functions. > Should it contain a subject value or does it and the DAEMON_END record > really not require a subject (and thus ausearch not supporting > searching that record by subject)? That's a good question. For stop, I think so. For start I'm not sure. -Steve -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
