should I loose audit data if I only care about the record's fields?

Steve Grubb sgrubb at redhat.com
Wed Nov 14 15:37:07 UTC 2007 

On Tuesday 13 November 2007 18:30:45 Klaus Heinrich Kiwi wrote:
> Example record:
> type=USER_CHAUTHTOK msg=audit(1194995431.057:58485): user pid=30759
> uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023
> msg='op=adding user to shadow group acct=klausk
> exe="/usr/sbin/usermod" (hostname=?, addr=?, terminal=pts/1
> res=success)'
>
> using walk_test() from the test routine (python):
> ---
>         op=adding (adding)
> ---
> 'op=adding' - adding what? no information about what's going on here.

This is an audit record that should probably be fixed in the application's 
source code.

> _side note_: just noticed that the original record is telling 'adding
> user to shadow group' when in fact I was adding the user to the 'nobody'
> group, plus others, with 'usermod -G' - I'll check that again later.

Yeah, might be a bug. shadow-utils is horrible for auditing since it has so 
many exit points that need to be audited. In my opinion, all the apps in it 
need restructuring for the logging/auditing.

> Another example is the LOGIN record:
> original record:
> type=LOGIN msg=audit(1193547601.367:36782): login pid=11698 uid=0 old
> auid=4294967295 new auid=0
>
> ---walk_test()----
> event 1 has 1 records
>     record 1 of type 1006(LOGIN) has 5 fields
>     line=1 file=None
>     event time: 1193547601.367:36782, host=None
>         type=LOGIN (LOGIN)
>         pid=11698 (11698)
>         uid=0 (root)
>         auid=4294967295 (unset)
>         auid=0 (root)
> ---
> two auid fields? which is old and which is new? ok maybe not the
> brightest example but IMO still valid.

Yep, that is implicit in the ordering. 

> Maybe auparse is aimed to just help us when we need to extract data, but
> it is well-settled that someone will need the whole record to actually
> know what's going on - please tell me if that is the case.

You can access the whole record with auparse_get_record_text().


> Thoughts?

There is also a section of code that is not written. There are plans to access 
the "in-between" data as an ancillary field. I believe there are FIXME's in 
the code where this should be. Unfortunately, I can't get to it for a little 
while.

-Steve

More information about the Linux-audit mailing list