Audit record emission

Steve Grubb sgrubb at redhat.com
Thu May 5 20:02:09 UTC 2005 

On Thursday 05 May 2005 15:42, Stephen Smalley wrote:
> For all other audit generation, it should all occur from audit_log_exit
> IIUC.   

That's kind of what I'm counting on.

> However, audit_log_exit() presently uses several 
>audit_log_start()...audit_log_end() sequences rather than a single one,
> which does split up the syscall audit record information.

I don't think this explains what we saw in the records. The records seemed 
like they had multiple parts, were intertwined, and separated by a long 
distance. Here is a sample:

type=KERNEL msg=audit(1114290222.457:10672815): syscall=83 arch=c000003e 
success=yes exit=0 a0=7fbffffb80 a1=1ff a2=402136 a3=0 items=1 pid=22754
loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="stress1_test"
exe=/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress1_test
type=KERNEL msg=audit(1114290222.582:10674541): item=0 name="stress2_dir" 
inode=3440760 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1114290222.581:10674530): item=0 name="stress2_dir"
type=KERNEL msg=audit(1114290222.579:10674506): syscall=90 arch=c000003e 
success=no exit=-2 a0=7fbffffc30 a1=0 a2=ffffffffffffffc0 a3=7 items=1
pid=22791 loginuid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 
sgid=500 fsgid=500 comm="stress2_test"
exe=/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress2_test
type=KERNEL msg=audit(1114290222.559:10673854): item=0 name="stress1_dir" 
inode=3441012 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1114290222.558:10673842): item=0 name="stress1_dir" 
inode=3441012 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1114290222.557:10673830): item=0 name="stress1_dir" 
inode=3441012 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1114290222.556:10673818): item=0 name="stress1_dir" 
inode=3441012 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1114290222.555:10673807): syscall=84 arch=c000003e 
success=yes exit=0 a0=7fbffffb80 a1=3a834c1d99 a2=3a834c1d99
a3=5f31737365727473 items=1 pid=22754 loginuid=500 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 comm="stress1_test"
exe=/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress1_test
type=KERNEL msg=audit(1114290222.543:10673805): item=0 name="stress1_dir" 
inode=3440760 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1114290222.542:10673795): item=0 name="stress1_dir" 
inode=3440760 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1114290222.541:10673794): item=0 name="stress1_dir" 
inode=3441012 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1114290222.541:10673783): syscall=84 arch=c000003e 
success=yes exit=0 a0=7fbffffb80 a1=3a834c1d99 a2=3a834c1d99
a3=5f31737365727473 items=1 pid=22754 loginuid=500 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 comm="stress1_test"
exe=/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress1_test

The second record has a serial of 10674541. Where's the rest of it? Kris has a 
stress test that generated these records. 

-Steve

More information about the Linux-audit mailing list