Log corruption

[Steve Grubb]

Hello,

Still testing the new kernel. I've noticed that there is now log corruption 
since we added the netlink patches:

type=KERNEL msg=audit(1115556451.615:8458544): item=0 
name="/usr/libexec/dovecot/imap.#prelink#.QmQDxR" inode=1102979 dev=03:02 
mode=040755 uid=0 gid=0 rdev=00:00:00d=0 gid=0 rde

What's the gid in twice for?

type=KERNEL msg=audit(1115556451.620:0): auid 4325 removed an audit rule 
ccess=yes exit=5

rule was supposed to be end of sentence

type=USER msg=audit(1115557262.120:0): user pid=9262 uid=0 length=100 
loginuid=4294967295 msg='PAM accounting: user=root exe=/usr/sbin/crond 
(hostname=?, addr=?, terminal=cron result=Success)' sgid=0 fsgid=0
type=LOGIN msg=audit(1115557262.249:0): login pid=9262 uid=0 old 
loginuid=4294967295 new loginuid=00 a1=80c2 a2=180

Why does the above have a1 & a2?

type=USER msg=audit(1115557262.453:0): user pid=9262 uid=0 length=100 
loginuid=0 msg='PAM session open: user=root exe=/usr/sbin/crond (hostname=?, 
addr=?, terminal=cron result=Success)'ccess)' sgid=0 f

Ended with an f

type=USER msg=audit(1115557262.784:0): user pid=9262 uid=0 length=100 
loginuid=0 msg='PAM session close: user=root exe=/usr/sbin/crond (hostname=?, 
addr=?, terminal=cron result=Success)'gid=0 sgid=0 fsg

cron should have been the end of message.

Also, should audit_expand take a parameter to suggest how big to grow? For 
example, the buffer is inited to 1024, but it need to put a PATH_MAX sized 
filename into a message. In audit_vformat, if does 1 if staement and then one 
increment. So now the buffer is 2048. That's still too small for a 4096 byte 
filename. Either the call to expand should be in a while loop, or it should 
take a hint.

-Steve