From: Eric Paris <eparis@redhat.com>
To: Laurent Bigonville <bigon@debian.org>
Cc: linux-audit@redhat.com
Subject: Re: aulast only displaying reboot pseudo-users
Date: Mon, 16 Jun 2014 17:20:10 -0400 [thread overview]
Message-ID: <1402953610.11087.5.camel@localhost> (raw)
In-Reply-To: <20140614135319.18680d6f@fornost.bigon.be>
On Sat, 2014-06-14 at 13:53 +0200, Laurent Bigonville wrote:
> Le Thu, 5 Jun 2014 19:34:04 +0200,
> Laurent Bigonville <bigon@debian.org> a écrit :
>
> > Le Wed, 04 Jun 2014 19:04:52 -0400,
> > Steve Grubb <sgrubb@redhat.com> a écrit :
> [...]
> > > You are missing a type=LOGIN event right here. If you do a "cat
> > > /proc/self/loginuid" and its set to something besides -1, we have a
> > > kernel bug.
> > >
> >
> >
> > Actually, my grepping was wrong, I'm seeing this the following line
> > too:
> >
> > type=LOGIN msg=audit(1401921359.597:1397): pid=15760 uid=0
> > old-auid=4294967295 new-auid=1002 old-ses=4294967295 new-ses=66 res=1
>
> Any idea here then?
>
> Regarding "/proc/self/loginuid" it's always set to the uid of the user
> here.
>
> Looking at aulast code, I can see that there are differences for
> kernels before or after 3.13. My machine is running 3.14, could this be
> related?
Back in the olden-days we had:
"pid=%d uid=%u old auid=%u new auid=%u old ses=%u new ses=%u res=%d"
Which got complained about and resulted in:
commit 5ee9a75c9fdaebd3ac8176f9f5c73fdcd27c1ad1
Author: Richard Guy Briggs <rgb@redhat.com>
Date: Wed Dec 11 15:28:09 2013 -0500
audit: fix dangling keywords in audit_log_set_loginuid() output
Which gave us:
"pid=%d uid=%u old-auid=%u new-auid=%u old-ses=%u new-ses=%u res=%d"
And that is your record type.
Steve asked Richard to remove the "new-" from the fields which resulted
in
commit aa589a13b5d00d3c643ee4114d8cbc3addb4e99f
Author: Richard Guy Briggs <rgb@redhat.com>
Date: Mon Feb 24 12:31:11 2014 -0500
audit: remove superfluous new- prefix in AUDIT_LOGIN messages
Which got us to today's record type:
"pid=%d uid=%u subj=%s old-auid=%u auid=%u old-ses=%u ses=%u res=%d"
My guess is that userspace just throws away record where it doesn't find
the auid= and ses= and you kernel happens to live in those couple of
months were it had "new-ses" and "new-auid"
I'd call this a pretty clear userspace bug where it just completely
drops records, even if it can't parse them...
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2014-06-16 21:20 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-04 22:04 aulast only displaying reboot pseudo-users Laurent Bigonville
2014-06-04 22:23 ` Steve Grubb
2014-06-04 22:42 ` Laurent Bigonville
2014-06-04 23:04 ` Steve Grubb
2014-06-05 17:34 ` Laurent Bigonville
2014-06-14 11:53 ` Laurent Bigonville
2014-06-16 21:20 ` Eric Paris [this message]
2014-06-16 21:24 ` Eric Paris
2014-06-16 21:28 ` Eric Paris
2014-06-17 13:29 ` Steve Grubb
2014-06-17 14:09 ` Laurent Bigonville
2014-06-17 14:31 ` Eric Paris
2014-06-17 14:55 ` Richard Guy Briggs
2014-06-17 15:04 ` Steve Grubb
2014-06-17 14:56 ` Steve Grubb
2014-06-17 15:15 ` Richard Guy Briggs
2014-06-17 15:26 ` Eric Paris
2014-06-17 16:30 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1402953610.11087.5.camel@localhost \
--to=eparis@redhat.com \
--cc=bigon@debian.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.