Description of problem: There are actually two problems with the DAEMON_CONFIG record but they're in the same code so I'm just filing one bug. The main problem is that there is no timestamp on this record. This problem exists at least up until 1.0.12. The minor problem is that ausearch can't find the record. This is fixed in 1.0.12 (perhaps earlier) but is broken in 1.0.4, so we need a fix to that version. Patches are included. The timestamp fix is awkward (replicates most of send_audit_event, even some that's not necessary because it won't ever be the first message, and there's a malloc failure case that's not really handled) but I'm providing it as a starting point that you will probably want to improve on. The ausearch fix to auditd is the same as is in 1.0.12. Version-Release number of selected component (if applicable): RHEL4U2 with audit 1.0.4+auditctl fix How reproducible: Reproduces every time Steps to Reproduce: 1. start the auditd 2. run /etc/init.d/auditd reload 3. look in the audit.log and see that the record is there but no timestamp 4. run ausearch -m DAEMON_CONFIG and ausearch will find no match Actual results: type=DAEMON_CONFIG msg=config changed, auid=2063 pid=23485 res=success Expected results: type=DAEMON_CONFIG msg=audit(1133562160.429:649) config changed, auid=2063, pid=31214, res=success Additional info:
Created attachment 121788 [details] prototype fix
I forgot to mention that the example in the Actual results is from 1.0.12. The 1.0.4 version has the auid and pid field reversed (causes ausearch to not find the record) and no res= field, but Steve will recognize that.
Created attachment 121992 [details] reworked patch isolating the time stamp issue This is the proposed patch to fix the time stamp issue.
Created attachment 121995 [details] patch isolating the switched parameters
This issue is on Red Hat Engineering's list of planned work items for the upcoming Red Hat Enterprise Linux 4.4 release. Engineering resources have been assigned and barring unforeseen circumstances, Red Hat intends to include this item in the 4.4 release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0379.html