[PATCH] Handle timestamp 0.0 in auparse, was Re: audit-viewer help needed
Steve Grubb
sgrubb at redhat.com
Sat Oct 18 15:51:17 UTC 2008
On Monday 22 September 2008 20:57:59 Miloslav Trmač wrote:
> LC Bruzenak píše v Po 22. 09. 2008 v 19:38 -0500:
> > On Mon, 2008-09-22 at 23:30 +0000, Miloslav Trmač wrote:
> > > > node=hugo type=AVC msg=audit(0.000:6760): <SNIP> comm="lockd"
> > >
> > > I'm curious how this audit record could have been created (notabile is
> > > that the previous record has a sequence ID 6758 and a reasonable
> > > timestamp). Lenny, Steve, any ideas?
> >
> > I found a couple more:
> >
> > [root at hugo ~]# grep "(0.000:" /var/log/audit/audit.log*
> > <SNIP> type=AVC msg=audit(0.000:6760): <SNIP> comm="lockd"
> > <SNIP> type=AVC msg=audit(0.000:381): <SNIP> comm="nfsd4"
>
> I think I can see what's going on. Those are kernel threads; when they
> are created, an audit context is created and zeroed. The timestamp is
> set on system call entry in ordinary threads, but there is no system
> call entry in kernel threads, so the original zero timestamp is used in
> all audit records related to kernel threads.
>
> I'm not sure how to fix it, though. Perhaps identify "operation start"
> points in kernel threads, and update the timestamps in their audit
> contexts at that time?
Eric, Al,
Any ideas how to fix this?
Thanks,
-Steve
More information about the Linux-audit
mailing list