ausearch discrepancies?

LC Bruzenak lenny at magitekltd.com
Fri Jun 5 00:37:17 UTC 2009 

F10, audit-1.7.12

[root at slim ~]# ausearch -i -ts yesterday -te yesterday | grep "node=" |
tail
...

node=slim type=PATH msg=audit(06/03/2009 19:11:29.348:2884) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0 
node=slim type=CWD msg=audit(06/03/2009 19:11:29.348:2884) :
cwd=/home/lcb 
node=slim type=SYSCALL msg=audit(06/03/2009 19:11:29.348:2884) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=2bb999c a1=2bb999c a2=0
a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
subj=user_u:user_r:user_t:s0 key=delete 

The results end with the above record.

Then:
[root at slim ~]# ausearch -i -ts yesterday  | grep "node=" | less
...
node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=
542803 dev=fd:00 mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0 
node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
cwd=/home/lcb 
node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=
36763bc a2=0 a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb
gid=lcb euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lc
b fsgid=lcb tty=(none) ses=1 comm=firefox
exe=/usr/lib64/firefox-3.0.10/firefox subj=user_u:user_r:user_t:s0
key=delete 
node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acb
b60 a1=5 a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset
uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=n
tp fsgid=ntp tty=(none) ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-ch
ange 
node=slim type=USER_ACCT msg=audit(06/04/2009 00:01:01.716:3013) : user
pid=14269 uid=root auid=unset ses=4294967295 subj=sys
tem_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:accounting acct=root
exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cro
n res=success)' 

This shows plenty of events after the 19:11 event shown.
Any ideas?

# date
Thu Jun  4 19:29:10 CDT 2009

Reading the manpage is a little confusing on the -ts and -te meanings.
I'm not sure I agree with the way it is stated, regardless the behavior
above appears wrong ... but this appears to work correctly:

ausearch -ts 06/03/2009 00:00:00 -te 06/03/2009 23:59:59 -i | grep
"node=" | tail
...
node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0 
node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
cwd=/home/lcb 
node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=36763bc a2=0
a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
subj=user_u:user_r:user_t:s0 key=delete 
node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acbb60 a1=5
a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset uid=ntp gid=ntp
euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none)
ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-change 



Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny at magitekltd.com

More information about the Linux-audit mailing list