ausearch question

Burn Alting burn at swtf.dyndns.org
Mon Apr 7 15:53:39 UTC 2014 

On Mon, 2014-04-07 at 09:59 -0400, Steve Grubb wrote:
> On Monday, April 07, 2014 04:29:34 PM Burn Alting wrote:
> > All,
> > 
> > I note when interpreting raw audit with the ausearch --interpret option,
> > the code in src/ausearch-report.c:output_interpreted_node(), when
> > parsing key value pairs which are not enclosed in double or single
> > quotes, looks for embedded comma's in the value part and, if found,
> > effectively terminates the value at the comma. This in effect, makes the
> > data after the comma the start of the next key (if any). There are some
> > exceptions in the code (audit_type == AUDIT_VIRT_MACHINE_ID,
> > AUDIT_OBJ_PID, AUDIT_PATH and AUDIT_IPC).
> 
> I presume we are talking about this area of code:
> https://fedorahosted.org/audit/browser/trunk/src/ausearch-report.c#L276

Yep.

> 
> > What sort of input is this addressing?
> 
> The audit system has migrated its events slowly over time. The current code 
> base can read/search/report/interpret audit events all the way back to about 
> the 2004 time frame. So, sometimes you find things that are left over from long 
> ago. But you might need this legacy support if the tools are on an aggregating 
> server.

Understood.

> 
> 
> > Are there examples?
> 
> type=USER_ACCT msg=audit(1223987805.696:8): user pid=4885 uid=0 
> auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: 
> accounting acct="sgrubb" : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, 
> terminal=:0 res=success)'
> 
> Up until around 2010, all user space originating events had commas between the 
> last 4 fields which also including being inside parenthesis. This was later 
> decided to be a waste of bytes and slowed down parsing to handle the comma for 
> matching/translating purposes. Current events do not have this.

Which is exactly the information I was after.
> 
> If you see any current events that are mishandled by this legacy code, let me 
> know and I'll see how we can fix it.

A very, very quick glance through the current kernel and Linux-PAM code
showed, happily, nothing containing the offending format.

> 
> -Steve
> 

Thanks.

Burn

More information about the Linux-audit mailing list