Hello,
According to this [1] and the definition of the res field here [2], the res
field should have a value of either success or fail.
Here are some logs I generated on Debian:
type=USER_START msg=audit(1464013671.525:405): pid=3569 uid=0 auid=1000 ses=7
msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=?
terminal=/dev/pts/1 res=success'
type=CONFIG_CHANGE msg=audit(1464013671.541:406): auid=1000 ses=7 op="add rule"
key=(null) list=4 res=1
type=USER_END msg=audit(1464013671.549:407): pid=3569 uid=0 auid=1000 ses=7
msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=?
terminal=/dev/pts/1 res=success’
As you can see, there is a res field which value is 1.
Is it because my auditd is outdated? Is there a missing res field which is
purely numeric (just like the fields called fp [3])?
As Steve said in previous emails, it is possible and it might be fixed already.
I’ll try to find out if I get similar logs with the latest auditd (2.6.5) on
CentOS 6.8-i386 later.
Cheers!
-m
[1]:
https://github.com/linux-audit/audit-userspace/blob/ac9384a884841ef66b4cae42884d9e63d0b6a438/auparse/typetab.h#L79-L80
<https://github.com/linux-audit/audit-userspace/blob/ac9384a884841ef66b4cae42884d9e63d0b6a438/auparse/typetab.h#L79-L80>
[2]:
https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L186
<https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L186>
[3]:
https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L62-L63
<https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L62-L63>
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
