[PATCH] Handle timestamp 0.0 in auparse, was Re: audit-viewer help needed
LC Bruzenak
lenny at magitekltd.com
Tue Sep 23 01:04:43 UTC 2008
On Tue, 2008-09-23 at 02:57 +0200, Miloslav Trmač wrote:
> LC Bruzenak píše v Po 22. 09. 2008 v 19:38 -0500:
> > On Mon, 2008-09-22 at 23:30 +0000, Miloslav Trmač wrote:
...
>
> I think I can see what's going on. Those are kernel threads; when they
> are created, an audit context is created and zeroed. The timestamp is
> set on system call entry in ordinary threads, but there is no system
> call entry in kernel threads, so the original zero timestamp is used in
> all audit records related to kernel threads.
>
> I'm not sure how to fix it, though. Perhaps identify "operation start"
> points in kernel threads, and update the timestamps in their audit
> contexts at that time?
> Mirek
>
OK; excellent summary!
The bad thing IMO is that ausearch doesn't show these records.
It just drops them (and exits with exit value = 1).
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list