From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: [PATCH] Handle timestamp 0.0 in auparse, was Re: audit-viewer
	help needed
Date: Fri, 07 Nov 2008 14:19:48 -0600
Message-ID: <1226089188.7321.128.camel@homeserver>
References: <1221782548.6783.30.camel@homeserver>
	<1221812917.2947.10.camel@amilo> <1221830658.6513.4.camel@homeserver>
	<1222126221.2685.81.camel@amilo>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1222126221.2685.81.camel@amilo>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Miloslav =?UTF-8?Q?Trma=C4=8D?= <mitr@redhat.com>
Cc: linux-audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Mon, 2008-09-22 at 23:30 +0000, Miloslav Trma=C4=8D wrote:
> Hello,
> the attached patch modifies auparse not to handle timestamp 0.x
> specially by using out-of-band information (parse_state =3D=3D EVENT_EM=
PTY)
> instead of assuming (au->le.e.sec =3D=3D 0) has a special meaning.  As =
far
> as I can see, this the two conditions are equivalent if no event has a
> timestamp 0.x.
>=20
> The patch also decreases the assumed minimal length of a timestamp.
>=20
> I have tested this only minimally - I have checked that (make check)
> succeeds, and that audit-viewer doesn't crash on startup.
>=20
> This patch fixes handling of the following Lenny's audit record:
>=20
> > node=3Dhugo type=3DAVC msg=3Daudit(0.000:6760): avc:  denied  { recvf=
rom }
> > for  pid=3D2589 comm=3D"lockd" saddr=3D127.0.0.1 src=3D687 daddr=3D12=
7.0.0.1
> > dest=3D111 netif=3Dlo scontext=3Dsystem_u:system_r:initrc_t:s0-s15:c0=
.c1023
> > tcontext=3Dsystem_u:system_r:kernel_t:s15:c0.c1023 tclass=3Dassociati=
on
>=20
> I'm curious how this audit record could have been created (notabile is
> that the previous record has a sequence ID 6758 and a reasonable
> timestamp).  Lenny, Steve, any ideas?
>=20
> Thank you,
> 	Mirek


Steve, Mirek -=20

This patch didn't make it into the 1.7.9 code?
I have been running with it since its release.
Even if the kernel was patched I thought this was good.

Thx,
LCB.

--=20
LC (Lenny) Bruzenak
lenny@magitekltd.com