[PATCH] auparse.c events_are_equal() and event matching
Richard Guy Briggs
rgb at redhat.com
Wed Dec 10 02:54:38 UTC 2014
On 14/11/24, Guillaume Destuynder wrote:
> Hi,
Hi Guillaume,
> on our RHEL6 machines, with kernel 2.6.32, we noticed that sometimes an
> audit message comes in but libaudit does not see it as the same event.
>
> The milliseconds field of the timestamp differs (but the timestamp
> seconds and event serial are identical).
>
> The check to determine if 2 messages are part of the same event is done
> by events_are_equal() in auparse/auparse.c (audit userspace library).
>
> There is a comment that indicate that this is voluntary - however, I
> could not find why. I suspect this is for searches over long periods of
> time when the serial may roll over.
>
> In case this was simply overlooked I'm attaching a patch that fixes it
> for us. It keeps the timestamp check for the seconds, which works fine
> and would still work with serial rolling over.
>
> Again- its relatively rare in our logs that the timestamp's millisecond
> field differs and we log very heavily - so it's not that easy to reproduce.
Do you have a set (or three) of messages that fit this situation as a
sample? I'm looking through the kernel code to try and see how this is
possible. So far I am not convincing myself this is possible, but
perhaps I am missing a combination of messages that fits this scenario.
> Thanks!
Thanks!
> Guillaume
>
> Index: trunk/auparse/auparse.c
> ===================================================================
> --- trunk/auparse/auparse.c (revision 1063)
> +++ trunk/auparse/auparse.c (working copy)
> @@ -752,10 +752,10 @@
>
> static int inline events_are_equal(au_event_t *e1, au_event_t *e2)
> {
> - // Check time & serial first since its most likely way
> - // to spot 2 different events
> - if (!(e1->serial == e2->serial && e1->milli == e2->milli &&
> - e1->sec == e2->sec))
> + // Check serial and timestamp - but not milliseconds
> + // as, even if rare, these may not match for the same message due to
> + // kernel processing delays
> + if (!(e1->serial == e2->serial && e1->sec == e2->sec))
> return 0;
> // Hmm...same so far, check if both have a host, only a string
> // compare can tell if they are the same. Otherwise, if only one
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list