[PATCH] auparse.c events_are_equal() and event matching
Steve Grubb
sgrubb at redhat.com
Tue Dec 2 13:44:21 UTC 2014
On Monday, December 01, 2014 09:51:47 PM Richard Guy Briggs wrote:
> On 14/12/01, Steve Grubb wrote:
> > On Monday, November 24, 2014 08:23:26 PM Guillaume Destuynder wrote:
> > > on our RHEL6 machines, with kernel 2.6.32, we noticed that sometimes an
> > > audit message comes in but libaudit does not see it as the same event.
> > >
> > > The milliseconds field of the timestamp differs (but the timestamp
> > > seconds and event serial are identical).
> >
> > This seems to be a bug in the kernel code. Its a fundamental principle
> > that all records that make up an event have the same time stamp and serial
> > number.
>
> Is it? I don't know if there is any value in serializing the parts that
> make up one event.
Yes it is. This is a day 1 design decision. The serial number is to
differentiate events within the same millisecond. Its not to be an identifier
that alone is used for serialization. Without this ordering, we cannot glue
all the parts of the event back together because the kernel _itself_ does not
serialize events. Events can come out intermingled.
The original design:
https://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.5-rc1/2.6.5-rc1-mm2/broken-out/lightweight-auditing-framework.patch
excerpt:
The timestamp of the
record and this serial number are used by the user-space daemon to
determine which pieces belong to the same audit record. The
(timestamp,serial) tuple is unique for each syscall and is live from
syscall entry to syscall exit.
-Steve
More information about the Linux-audit
mailing list