Steve, When ausearch is given the --debug option, malformed events are written to stderr. The PROCTITLE type record is considered to be malformed. This patch corrects for this.
diff -Npru audit-2.4.4/src/ausearch-parse.c audit-2.4.4_debug_fix/src/ausearch-parse.c --- audit-2.4.4/src/ausearch-parse.c 2015-08-14 06:56:27.000000000 +1000 +++ audit-2.4.4_debug_fix/src/ausearch-parse.c 2015-12-18 13:52:32.103305466 +1100 @@ -162,6 +162,7 @@ int extract_search_items(llist *l) case AUDIT_CAPSET: case AUDIT_MMAP: case AUDIT_NETFILTER_CFG: + case AUDIT_PROCTITLE: // Nothing to parse break; case AUDIT_TTY:
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
