Re: Proposed additions to ausearch

From: Steve Grubb <sgrubb@redhat.com>
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
Subject: Re: Proposed additions to ausearch
Date: Mon, 13 May 2013 09:02:55 -0400	[thread overview]
Message-ID: <1448422.f2vnquTxnh@x2> (raw)
In-Reply-To: <1368315048.19077.202.camel@swtf.swtf.dyndns.org>

On Sunday, May 12, 2013 09:30:48 AM Burn Alting wrote:
> Hmmm ... lets try that again with the correct and working patch.

Applied with one change. I also looked for more instances of the same coding 
pattern and fixed several more. Thanks for reporting this.

-Steve

> On Sun, 2013-05-12 at 09:14 +1000, Burn Alting wrote:
> > And the trivial patch to fix is attached.
> > 
> > Also in the patch is a minor fix to display the clone flag value of 0 as
> > 0x0 for consistency.
> > 
> > On Sat, 2013-05-11 at 10:42 +1000, Burn Alting wrote:
> > > Steve,
> > > 
> > > Before I send my patches out, I noticed in some testing of the svn code,
> > > that some interpretation of the a2 and a3 keys has resulted in null
> > > output if the raw data was 0. For example
> > > 
> > > raw:
> > >         node=swtf5.swtf.dyndns.org type=SYSCALL
> > >         msg=audit(1367146452.398:27817): arch=c000003e syscall=45
> > >         success=no exit=-11 a0=6 a1=2546a04 a2=1000 a3=0 items=0
> > >         ppid=798 pid=1227 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42
> > >         egid=42 sgid=42 fsgid=42 ses=1 tty=(none) comm="gnome-shell"
> > >         exe=2F7573722F62696E2F676E6F6D652D7368656C6C202864656C6574656429
> > >         subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key="all"
> > > 
> > > 2.3 output
> > > 
> > >         < node=swtf5.swtf.dyndns.org type=SYSCALL msg=audit(04/28/2013
> > >         20:54:12.398:27817) : arch=x86_64 syscall=recvfrom success=no
> > >         exit=-11(Resource temporarily unavailable) a0=0x6 a1=0x2546a04
> > >         a2=0x1000 a3=0x0 items=0 ppid=798 pid=1227 auid=gdm uid=gdm
> > >         gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm
> > >         ses=1 tty=(none) comm=gnome-shell exe=/usr/bin/gnome-shell
> > >         (deleted) subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=all
> > >         ---
> > > 
> > > svn
> > > 
> > >         > node=swtf5.swtf.dyndns.org type=SYSCALL msg=audit(04/28/2013
> > >         
> > >         20:54:12.398:27817) : arch=x86_64 syscall=recvfrom success=no
> > >         exit=-11(Resource temporarily unavailable) a0=0x6 a1=0x2546a04
> > >         a2=0x1000 a3= items=0 ppid=798 pid=1227 auid=gdm uid=gdm gid=gdm
> > >         euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm ses=1
> > >         tty=(none) comm=gnome-shell exe=/usr/bin/gnome-shell (deleted)
> > >         subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=all
> > > 
> > > This appears to occur for recvfrom, sendmsg, sendto. I've yet to look
> > > for other syscalls that it effects.
> > > 
> > > Rgds
> > > 
> > > On Tue, 2013-05-07 at 19:29 +1000, Burn Alting wrote:
> > > > Thanks Steve,
> > > > 
> > > > I will check it out and re-fit patches over the next few days and
> > > > submit
> > > > individual patches for review.
> > > > 
> > > > Rgds
> > > > 
> > > > Burn
> > > > 
> > > > On Mon, 2013-05-06 at 18:04 -0400, Steve Grubb wrote:
> > > > > On Monday, May 06, 2013 09:53:40 AM Steve Grubb wrote:
> > > > > > >         - a new option will print out more parser friendly
> > > > > > >         output for
> > > > > > >         interpreted mode
> > > > > > 
> > > > > > I am in the midst of coalescing the interpreters into one. I know
> > > > > > this
> > > > > > sounds  crazy, but ausearch and auparse both had independent
> > > > > > copies of
> > > > > > nearly the same material. The problem was they both keep data
> > > > > > formatted
> > > > > > completely different and that made combining them a challenge. I
> > > > > > think
> > > > > > auparse has a faster lookup algorithm but it allocates memory for
> > > > > > the
> > > > > > translation. So, I hope they cancel each other out.
> > > > > > 
> > > > > > My point in mentioning this is that I am probably in the middle of
> > > > > > changing
> > > > > > code you hooked into. The work is checked in but still in
> > > > > > progress. The
> > > > > > first step was to create a common API for 3 functions used in
> > > > > > translating
> > > > > > fields. (This is checked in.) The next step is to link ausearch
> > > > > > against
> > > > > > auparse with the ausearch functions commented out. The final step
> > > > > > is to
> > > > > > remove all the unneeded code from ausearch. (I should be doing
> > > > > > this today.)
> > > > > 
> > > > > All changes are checked into svn for this interpreter switch over.
> > > > > So far my testing shows that although ausearch malloc/frees about 6
> > > > > times as much as it used to, the lookup algorithms in auparse are
> > > > > superior and we actually have about a 20% speed improvement in the
> > > > > outputting of interpreted results. Searching is not any faster.
> > > > > 
> > > > > At this point, the code should be stable in this area if you want to
> > > > > retest
> > > > > and start sending patches.
> > > > > 
> > > > > Thanks,
> > > > > -Steve
> > > > 
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
> > > 
> > > --
> > > Linux-audit mailing list
> > > Linux-audit@redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit