From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: ausearch discrepancies?
Date: Thu, 04 Jun 2009 19:37:17 -0500
Message-ID: <1244162237.31664.477.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n550bXWk021443
	for <linux-audit@redhat.com>; Thu, 4 Jun 2009 20:37:33 -0400
Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id n550bIDA030484
	for <linux-audit@redhat.com>; Thu, 4 Jun 2009 20:37:18 -0400
Received: from [24.242.137.194] (helo=[192.168.30.40])
	by mail.magitekltd.com with esmtpsa
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63)
	(envelope-from <lenny@magitekltd.com>) id 1MCNPo-0002Fd-1Q
	for linux-audit@redhat.com; Thu, 04 Jun 2009 19:36:12 -0500
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

F10, audit-1.7.12

[root@slim ~]# ausearch -i -ts yesterday -te yesterday | grep "node=" |
tail
...

node=slim type=PATH msg=audit(06/03/2009 19:11:29.348:2884) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0 
node=slim type=CWD msg=audit(06/03/2009 19:11:29.348:2884) :
cwd=/home/lcb 
node=slim type=SYSCALL msg=audit(06/03/2009 19:11:29.348:2884) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=2bb999c a1=2bb999c a2=0
a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
subj=user_u:user_r:user_t:s0 key=delete 

The results end with the above record.

Then:
[root@slim ~]# ausearch -i -ts yesterday  | grep "node=" | less
...
node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=
542803 dev=fd:00 mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0 
node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
cwd=/home/lcb 
node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=
36763bc a2=0 a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb
gid=lcb euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lc
b fsgid=lcb tty=(none) ses=1 comm=firefox
exe=/usr/lib64/firefox-3.0.10/firefox subj=user_u:user_r:user_t:s0
key=delete 
node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acb
b60 a1=5 a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset
uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=n
tp fsgid=ntp tty=(none) ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-ch
ange 
node=slim type=USER_ACCT msg=audit(06/04/2009 00:01:01.716:3013) : user
pid=14269 uid=root auid=unset ses=4294967295 subj=sys
tem_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:accounting acct=root
exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cro
n res=success)' 

This shows plenty of events after the 19:11 event shown.
Any ideas?

# date
Thu Jun  4 19:29:10 CDT 2009

Reading the manpage is a little confusing on the -ts and -te meanings.
I'm not sure I agree with the way it is stated, regardless the behavior
above appears wrong ... but this appears to work correctly:

ausearch -ts 06/03/2009 00:00:00 -te 06/03/2009 23:59:59 -i | grep
"node=" | tail
...
node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0 
node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
cwd=/home/lcb 
node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=36763bc a2=0
a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
subj=user_u:user_r:user_t:s0 key=delete 
node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acbb60 a1=5
a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset uid=ntp gid=ntp
euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none)
ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-change 



Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com