Hello, > On 19 Jul 2016, at 12:28, Mateusz Piotrowski <[email protected]> wrote: > > type=CONFIG_CHANGE msg=audit(1464013671.541:406): auid=1000 ses=7 op="add > rule" key=(null) list=4 res=1 > As you can see, there is a res field which value is 1. > > Is it because my auditd is outdated? Is there a missing res field which is > purely numeric (just like the fields called fp [3])? > > As Steve said in previous emails, it is possible and it might be fixed > already. I’ll try to find out if I get similar logs with the latest auditd > (2.6.5) on CentOS 6.8-i386 later.
I confirm that it is possible to generate a type=CONFIG_CHANGE record with a res=1 field on CentOS 6.8 with auditd v2.6.5. Cheers -m -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
