[PATCH] auparse.c events_are_equal() and event matching

Richard Guy Briggs rgb at redhat.com
Wed Dec 10 02:54:38 UTC 2014 

On 14/11/24, Guillaume Destuynder wrote:
> Hi,

Hi Guillaume,

> on our RHEL6 machines, with kernel 2.6.32, we noticed that sometimes an
> audit message comes in but libaudit does not see it as the same event.
> 
> The milliseconds field of the timestamp differs (but the timestamp
> seconds and event serial are identical).
> 
> The check to determine if 2 messages are part of the same event is done
> by events_are_equal() in auparse/auparse.c (audit userspace library).
> 
> There is a comment that indicate that this is voluntary - however, I
> could not find why. I suspect this is for searches over long periods of
> time when the serial may roll over.
> 
> In case this was simply overlooked I'm attaching a patch that fixes it
> for us. It keeps the timestamp check for the seconds, which works fine
> and would still work with serial rolling over.
> 
> Again- its relatively rare in our logs that the timestamp's millisecond
> field differs and we log very heavily - so it's not that easy to reproduce.

Do you have a set (or three) of messages that fit this situation as a
sample?  I'm looking through the kernel code to try and see how this is
possible.  So far I am not convincing myself this is possible, but
perhaps I am missing a combination of messages that fits this scenario.

> Thanks!

Thanks!

> Guillaume
> 
> Index: trunk/auparse/auparse.c
> ===================================================================
> --- trunk/auparse/auparse.c   (revision 1063)
> +++ trunk/auparse/auparse.c   (working copy)
> @@ -752,10 +752,10 @@
> 
>  static int inline events_are_equal(au_event_t *e1, au_event_t *e2)
>  {
> -       // Check time & serial first since its most likely way
> -       // to spot 2 different events
> -       if (!(e1->serial == e2->serial && e1->milli == e2->milli &&
> -                                       e1->sec == e2->sec))
> +       // Check serial and timestamp - but not milliseconds
> +       // as, even if rare, these may not match for the same message due to
> +       // kernel processing delays
> +       if (!(e1->serial == e2->serial && e1->sec == e2->sec))
>                 return 0;
>         // Hmm...same so far, check if both have a host, only a string
>         // compare can tell if they are the same. Otherwise, if only one

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list