Rotation of audit logs

Kris Wilson krisw at us.ibm.com
Wed May 18 23:24:01 UTC 2005 





I just reran the stress test using audit 8-1 and the .40 kernel, and I have
a question
about the continuation of records from one log file to another.

End of audit.log.1:

type=PATH msg=audit(1116457159.607:12637620): item=0 name="stress2_dir"
type=SYSCALL msg=audit(1116457159.607:12637620): syscall=90 arch=c000003e success=no exit=-2 a0=7fbffffb80 a1=0 a2=ffffffffffffffc0 a3=7 items=1
pid=24388 loginuid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="stress2_test"
exe="/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress2_test"
type=PATH msg=audit(1116457159.607:12637634): item=0 name="stress2_dir" inode=5111949 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00

Start of audit.log.2:

type=PATH msg=audit(1116457158.064:12321219): item=0 name="stress1_dir" inode=5111949 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1116457158.064:12321219): syscall=83 arch=c000003e success=yes exit=0 a0=7fbffffbe0 a1=1ff a2=402136 a3=0 items=1 pid=24343
loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="stress1_test"
exe="/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress1_test"
type=PATH msg=audit(1116457158.064:12321233): item=0 name="stress1_dir" inode=5111963 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00

Start of audit.log:

type=SYSCALL msg=audit(1116457159.607:12637634): syscall=84 arch=c000003e success=no exit=-2 a0=7fbffffb80 a1=2 a2=ffffffffffffffc0
a3=5f32737365727473 items=1 pid=24388 loginuid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="stress2_test"
exe="/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress2_test"

I was expecting the SYSCALL line for (1116457159.607:12637634) at the start
of audit.log.2,
but it is at the start of audit.log.  Can you explain the rotation order to
me?  Thanks!


Kris Wilson
Linux Security
(512) 838-0126 T/L:678-0126
krisw at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050518/f3a4ac8e/attachment.htm>

More information about the Linux-audit mailing list