Proposed additions to ausearch

Burn Alting burn at swtf.dyndns.org
Sat May 11 23:30:48 UTC 2013 

Hmmm ... lets try that again with the correct and working patch.

Apologies
Burn

On Sun, 2013-05-12 at 09:14 +1000, Burn Alting wrote:
> And the trivial patch to fix is attached.
> 
> Also in the patch is a minor fix to display the clone flag value of 0 as
> 0x0 for consistency.
> 
> On Sat, 2013-05-11 at 10:42 +1000, Burn Alting wrote:
> > Steve,
> > 
> > Before I send my patches out, I noticed in some testing of the svn code,
> > that some interpretation of the a2 and a3 keys has resulted in null
> > output if the raw data was 0. For example
> > raw:
> >         node=swtf5.swtf.dyndns.org type=SYSCALL
> >         msg=audit(1367146452.398:27817): arch=c000003e syscall=45
> >         success=no exit=-11 a0=6 a1=2546a04 a2=1000 a3=0 items=0
> >         ppid=798 pid=1227 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42
> >         egid=42 sgid=42 fsgid=42 ses=1 tty=(none) comm="gnome-shell"
> >         exe=2F7573722F62696E2F676E6F6D652D7368656C6C202864656C6574656429
> >         subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key="all"
> > 2.3 output
> >         < node=swtf5.swtf.dyndns.org type=SYSCALL msg=audit(04/28/2013
> >         20:54:12.398:27817) : arch=x86_64 syscall=recvfrom success=no
> >         exit=-11(Resource temporarily unavailable) a0=0x6 a1=0x2546a04
> >         a2=0x1000 a3=0x0 items=0 ppid=798 pid=1227 auid=gdm uid=gdm
> >         gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm
> >         ses=1 tty=(none) comm=gnome-shell exe=/usr/bin/gnome-shell
> >         (deleted) subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=all 
> >         ---
> > svn
> >         > node=swtf5.swtf.dyndns.org type=SYSCALL msg=audit(04/28/2013
> >         20:54:12.398:27817) : arch=x86_64 syscall=recvfrom success=no
> >         exit=-11(Resource temporarily unavailable) a0=0x6 a1=0x2546a04
> >         a2=0x1000 a3= items=0 ppid=798 pid=1227 auid=gdm uid=gdm gid=gdm
> >         euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm ses=1
> >         tty=(none) comm=gnome-shell exe=/usr/bin/gnome-shell (deleted)
> >         subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=all 
> > 
> > This appears to occur for recvfrom, sendmsg, sendto. I've yet to look
> > for other syscalls that it effects.
> > 
> > Rgds
> > 
> > On Tue, 2013-05-07 at 19:29 +1000, Burn Alting wrote:
> > > Thanks Steve,
> > > 
> > > I will check it out and re-fit patches over the next few days and submit
> > > individual patches for review.
> > > 
> > > Rgds
> > > 
> > > Burn
> > > 
> > > 
> > > On Mon, 2013-05-06 at 18:04 -0400, Steve Grubb wrote:
> > > > On Monday, May 06, 2013 09:53:40 AM Steve Grubb wrote:
> > > > > >         - a new option will print out more parser friendly output for
> > > > > >         interpreted mode
> > > > > 
> > > > > I am in the midst of coalescing the interpreters into one. I know this
> > > > > sounds  crazy, but ausearch and auparse both had independent copies of
> > > > > nearly the same material. The problem was they both keep data formatted
> > > > > completely different and that made combining them a challenge. I think
> > > > > auparse has a faster lookup algorithm but it allocates memory for the
> > > > > translation. So, I hope they cancel each other out.
> > > > > 
> > > > > My point in mentioning this is that I am probably in the middle of changing 
> > > > > code you hooked into. The work is checked in but still in progress. The
> > > > > first step was to create a common API for 3 functions used in translating
> > > > > fields. (This is checked in.) The next step is to link ausearch against
> > > > > auparse with the ausearch functions commented out. The final step is to
> > > > > remove all the unneeded code from ausearch. (I should be doing this today.)
> > > > 
> > > > All changes are checked into svn for this interpreter switch over. So far my 
> > > > testing shows that although ausearch malloc/frees about 6 times as much as it 
> > > > used to, the lookup algorithms in auparse are superior and we actually have 
> > > > about a 20% speed improvement in the outputting of interpreted results. 
> > > > Searching is not any faster. 
> > > > 
> > > > At this point, the code should be stable in this area if you want to retest 
> > > > and start sending patches.
> > > > 
> > > > Thanks,
> > > > -Steve
> > > 
> > > 
> > > --
> > > Linux-audit mailing list
> > > Linux-audit at redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
> > 
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

-------------- next part --------------
A non-text attachment was scrubbed...
Name: auparse_interpret_fix1_correct.patch
Type: text/x-patch
Size: 601 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130512/4488fd05/attachment.bin>

More information about the Linux-audit mailing list