aulast only displaying reboot pseudo-users
Richard Guy Briggs
rgb at redhat.com
Tue Jun 17 14:55:42 UTC 2014
On 14/06/17, Eric Paris wrote:
> On Tue, 17 Jun 2014 16:09:32 +0200
> Laurent Bigonville <bigon at debian.org> wrote:
> > Le Tue, 17 Jun 2014 09:29:21 -0400,
> > Steve Grubb <sgrubb at redhat.com> a écrit :
> >
> > > On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
> > [...]
> > > > I'd call this a pretty clear userspace bug where it just
> > > > completely drops records, even if it can't parse them...
> > >
> > > That theory can be tested by using:
> > >
> > > ausearch --start this-week --debug > /dev/null
> > >
> > > Anything that gets tossed out will be reported to stderr.
> >
> > I'm getting indeed quite a lot of skipped event:
> >
> > Malformed event skipped, rc=7. type=LOGIN
> > msg=audit(1402934401.462:1626): pid=1719 uid=0 old-auid=4294967295
> > new-auid=0 old-ses=4294967295 new-ses=121 res=1
>
> This feel like 2 clear bugs.
>
> 1) The kernel records for LOGIN are 'malformed' in 3.14.
Yes. That's why it got fixed for 3.15.
5ee9a75 audit: fix dangling keywords in audit_log_set_loginuid() output
introduced it between 3.13 and 3.14-rc1
aa589a1 audit: remove superfluous new- prefix in AUDIT_LOGIN messages
fixed it between 3.14 and 3.15-rc1
So it is fine in 3.15.
> 2) Userspace silently throws records which are 'malformed' away, instead
> of just printing them...
So according to Linus, we (I) violated the "thou shalt not break
userspace" golden rule with the second patch.
But it was already broken according to Steve which is why the first
patch was submitted.
> ausearch -m LOGIN should be able to display these things...
Agreed.
One lesson here? Let's get a minimum useful subset of
http://people.redhat.com/sgrubb/audit/audit-parse.txt into
linux-2.6/Documentation/ tree to try to avoid this issue in the future.
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list