Re: auditd 2.0.5 and 2.2 log format changes

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Eric Paris <eparis@redhat.com>
To: Ismail Yenigul <ismailyenigul@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: auditd 2.0.5 and 2.2 log format changes
Date: Tue, 20 May 2014 13:02:24 -0400	[thread overview]
Message-ID: <1400605344.20791.4.camel@flatline.rdu.redhat.com> (raw)
In-Reply-To: <CAKpsdD3hxcvQqzsfDCO_ZjE_jd_-Si5kN+Md_+Muk1ZsNTObHQ@mail.gmail.com>

On Tue, 2014-05-20 at 18:35 +0300, Ismail Yenigul wrote:
> Thanks for prompt reply.
> 
> 
> 
> The kernel versions are very close.

Not really.  RHEL kernels are vastly different than the old 2.6.32
kernel.  In this case, the RHEL kernel gives some very very new
information which didn't exist back in 2.6.37.  Aka the 2.6.32 rhel
kernel is 'newer' than the 2.6.37 suse kernel.  Does that make sense?

> Redhat: 2.6.32-431.11.2.el6.x86_64
> 
> Suse: 2.6.37.1-1.2-desktop

>         
>         > I have a scipt to correlate(for user friendly report) auditd
>         2.2
>         > version logs. It works on RedHat.
>         > We have suse 11.4 server running audit 2.0.5 version .
>         >
>         > I could not see any major log format difference between two
>         version.
>         > I see that there is  nametype=NORMAL field difference at the
>         end of
>         > each line for version 2.2.

This is a new key=value pair which tells your something about this
particular name record.  Imagine you called rename() and placed on file
on top of another existing file.  In old kernels you'd end up with about
4 different audit names.  Old parent dir, new parent dir, old file
moving, new file being unlink() because of the rename() on top of it.
This field is supposed to help you figure out which of these audit names
goes with which part of the syscall.  Make sense?

next prev parent reply	other threads:[~2014-05-20 17:02 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-20 15:18 auditd 2.0.5 and 2.2 log format changes Ismail Yenigul
2014-05-20 15:31 ` Steve Grubb
2014-05-20 15:35   ` Ismail Yenigul
2014-05-20 17:02     ` Eric Paris [this message]
2014-05-20 18:23       ` Ismail Yenigul
2014-05-20 18:38         ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1400605344.20791.4.camel@flatline.rdu.redhat.com \
    --to=eparis@redhat.com \
    --cc=ismailyenigul@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox