From mboxrd@z Thu Jan  1 00:00:00 1970
From: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: aulast only displaying reboot pseudo-users
Date: Tue, 17 Jun 2014 10:55:42 -0400
Message-ID: <20140617145542.GC14900@madcap2.tricolour.ca>
References: <20140605000405.687f6ad7@fornost.bigon.be>
	<20140614135319.18680d6f@fornost.bigon.be>
	<1402953610.11087.5.camel@localhost> <2733072.zhBU5hVyYr@x2>
	<20140617160932.1e12ac53@soldur.bigon.be>
	<20140617103125.1871abbf@flatline.rdu.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <20140617103125.1871abbf@flatline.rdu.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 14/06/17, Eric Paris wrote:
> On Tue, 17 Jun 2014 16:09:32 +0200
> Laurent Bigonville <bigon@debian.org> wrote:
> > Le Tue, 17 Jun 2014 09:29:21 -0400,
> > Steve Grubb <sgrubb@redhat.com> a =E9crit :
> > =

> > > On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
> > [...]
> > > > I'd call this a pretty clear userspace bug where it just
> > > > completely drops records, even if it can't parse them...
> > > =

> > > That theory can be tested by using:
> > > =

> > > ausearch --start this-week --debug > /dev/null
> > > =

> > > Anything that gets tossed out will be reported to stderr.
> > =

> > I'm getting indeed quite a lot of skipped event:
> > =

> > Malformed event skipped, rc=3D7. type=3DLOGIN
> > msg=3Daudit(1402934401.462:1626): pid=3D1719 uid=3D0 old-auid=3D4294967=
295
> > new-auid=3D0 old-ses=3D4294967295 new-ses=3D121 res=3D1
> =

> This feel like 2 clear bugs.
> =

> 1) The kernel records for LOGIN are 'malformed' in 3.14.

Yes.  That's why it got fixed for 3.15.

	5ee9a75 audit: fix dangling keywords in audit_log_set_loginuid() output
introduced it between 3.13 and 3.14-rc1

	aa589a1 audit: remove superfluous new- prefix in AUDIT_LOGIN messages
fixed it between 3.14 and 3.15-rc1

So it is fine in 3.15.

> 2) Userspace silently throws records which are 'malformed' away, instead
> of just printing them...

So according to Linus, we (I) violated the "thou shalt not break
userspace" golden rule with the second patch.

But it was already broken according to Steve which is why the first
patch was submitted.

> ausearch -m LOGIN should be able to display these things...

Agreed.

One lesson here?  Let's get a minimum useful subset of
http://people.redhat.com/sgrubb/audit/audit-parse.txt into
linux-2.6/Documentation/ tree to try to avoid this issue in the future.

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,=
 Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545