[PATCH] auparse.c events_are_equal() and event matching
Richard Guy Briggs
rgb at redhat.com
Tue Dec 2 02:51:47 UTC 2014
On 14/12/01, Steve Grubb wrote:
> On Monday, November 24, 2014 08:23:26 PM Guillaume Destuynder wrote:
> > on our RHEL6 machines, with kernel 2.6.32, we noticed that sometimes an
> > audit message comes in but libaudit does not see it as the same event.
> >
> > The milliseconds field of the timestamp differs (but the timestamp
> > seconds and event serial are identical).
>
> This seems to be a bug in the kernel code. Its a fundamental principle that
> all records that make up an event have the same time stamp and serial number.
Is it? I don't know if there is any value in serializing the parts that
make up one event.
> My guess (not having looked at the code) is that its calling a convenience
> function that looks up the time anew for each record rather than reading it
> once and reusing it as it outputs each record of the event.
They are acquired in two different places...
> The code in audit_log_exit is probably the only place where it really matters
> because it can generate multiple records composing 1 event. We might need a
> audit_log_start_time() function that takes the timestamp as a parameter. The
> old audit_log_start can grab a new timestamp and call the new function with
> the timestamp.
For non-syscall timestamps, it is fine since they are both acquired at
the same time (and it doesn't matter since there is only one message).
For syscalls, the timestamp comes from __audit_syscall_entry(), while
the serial number is later assigned in auditsc_get_stamp().
> I think we should fix the source of the problem. This is a really good finding.
> I didn't realize this was happening.
Agreed. I'm looking at it.
> Thanks,
> -Steve
>
> > The check to determine if 2 messages are part of the same event is done
> > by events_are_equal() in auparse/auparse.c (audit userspace library).
> >
> > There is a comment that indicate that this is voluntary - however, I
> > could not find why. I suspect this is for searches over long periods of
> > time when the serial may roll over.
> >
> > In case this was simply overlooked I'm attaching a patch that fixes it
> > for us. It keeps the timestamp check for the seconds, which works fine
> > and would still work with serial rolling over.
> >
> > Again- its relatively rare in our logs that the timestamp's millisecond
> > field differs and we log very heavily - so it's not that easy to reproduce.
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list