Unhelpful events
Richard Guy Briggs
rgb at redhat.com
Mon Jun 7 17:42:49 UTC 2021
On 2021-06-07 11:32, Steve Grubb wrote:
> Hello,
>
> While patching up the event normalizer, I run across these events which
> really have no useful information:
>
> type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD
>
> type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948
Fedora? "-a task,never"?
I assume ghak120 should be present in what you are using by now (v5.11)?
https://github.com/linux-audit/audit-kernel/issues/120
"BUG: accompanying records missing for requried records when no rules present"
> type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
> family=bridge entries=0 op=xt_unregister pid=5833
> subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
This is as complete as this event is going to get. It is a kernel
event, reaping an unused table after a timeout. See
https://github.com/linux-audit/audit-kernel/issues/25
> Either their syscall record is missing or they simply do not have all the
> necessary information. (Subject, action, object, results)
>
> -Steve
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list