Re: [PATCH] auparse.c events_are_equal() and event matching

[Steve Grubb <sgrubb@redhat.com>]

On Monday, December 01, 2014 09:51:47 PM Richard Guy Briggs wrote:
> On 14/12/01, Steve Grubb wrote:
> > On Monday, November 24, 2014 08:23:26 PM Guillaume Destuynder wrote:
> > > on our RHEL6 machines, with kernel 2.6.32, we noticed that sometimes an
> > > audit message comes in but libaudit does not see it as the same event.
> > > 
> > > The milliseconds field of the timestamp differs (but the timestamp
> > > seconds and event serial are identical).
> > 
> > This seems to be a bug in the kernel code. Its a fundamental principle
> > that all records that make up an event have the same time stamp and serial
> > number.
>
> Is it?  I don't know if there is any value in serializing the parts that
> make up one event.

Yes it is. This is a day 1 design decision. The serial number is to 
differentiate events within the same millisecond. Its not to be an identifier 
that alone is used for serialization. Without this ordering, we cannot glue 
all the parts of the event back together because the kernel _itself_ does not 
serialize events. Events can come out intermingled.

The original design:
https://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.5-rc1/2.6.5-rc1-mm2/broken-out/lightweight-auditing-framework.patch

excerpt:
 The timestamp of the
 record and this serial number are used by the user-space daemon to
 determine which pieces belong to the same audit record.  The
 (timestamp,serial) tuple is unique for each syscall and is live from
 syscall entry to syscall exit.


-Steve