aulast only displaying reboot pseudo-users
Steve Grubb
sgrubb at redhat.com
Tue Jun 17 13:29:21 UTC 2014
On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
> My guess is that userspace just throws away record where it doesn't find
> the auid= and ses= and you kernel happens to live in those couple of
> months were it had "new-ses" and "new-auid"
Was this patch sent to stable? The audit code tries to handle the old way and
the new way:
https://fedorahosted.org/audit/browser/trunk/tools/aulast/aulast.c#L175
But I thought the patch went to stable to prevent breaking user space. This is
only one issue. I am seeing duplicate and missing events between systemd, gdm,
and lightdm.
> I'd call this a pretty clear userspace bug where it just completely
> drops records, even if it can't parse them...
That theory can be tested by using:
ausearch --start this-week --debug > /dev/null
Anything that gets tossed out will be reported to stderr.
-Steve
More information about the Linux-audit
mailing list