On Monday, November 17, 2014 11:09:08 AM Paul Moore wrote: > On Friday, November 14, 2014 10:32:51 PM Richard Guy Briggs wrote: > > On 14/11/13, Steve Grubb wrote: > > > On Thursday, November 13, 2014 08:08:52 PM Richard Guy Briggs wrote: > > > The audit 2.4.1 package has been pushed to everything from F20 -> > > > rawhide. > > > If you don't see any problems, then its safe. But check carefully around > > > the things that you did change. Right now, we only are caring about only > > > one kernel feature, --loginuid-immutable. Check that it still works, > > > auditctl -s. > > > > Here's my output, which I assume looks sane:
Yeah, but how do we know its really selecting the right feature? > > [root@f20 ~]# rpm -q audit > > audit-2.4.1-1.fc20.x86_64 > > [root@f20 ~]# auditctl -s > > enabled 1 > > flag 1 > > pid 307 > > rate_limit 0 > > backlog_limit 320 > > lost 0 > > backlog 0 > > backlog_wait_time 60000 > > loginuid_immutable 0 unlocked > > Looks like good output to me, Steve? I would like it better if the following was tested as root: auditctl -s echo "1" > /proc/self/loginuid auditctl --loginuid-immutable auditctl -s echo "2" > /proc/self/loginuid This was we know that the feature is correctly reported, selected, and working. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
