From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: aulast only displaying reboot pseudo-users Date: Tue, 17 Jun 2014 11:15:32 -0400 Message-ID: <20140617151532.GD14900@madcap2.tricolour.ca> References: <20140605000405.687f6ad7@fornost.bigon.be> <20140617160932.1e12ac53@soldur.bigon.be> <20140617103125.1871abbf@flatline.rdu.redhat.com> <7885595.OZveFJzaAO@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline In-Reply-To: <7885595.OZveFJzaAO@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 14/06/17, Steve Grubb wrote: > On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote: > > On Tue, 17 Jun 2014 16:09:32 +0200 > > = > > Laurent Bigonville wrote: > > > Le Tue, 17 Jun 2014 09:29:21 -0400, > > > = > > > Steve Grubb a =E9crit : > > > > On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote: > > > [...] > > > = > > > > > I'd call this a pretty clear userspace bug where it just > > > > > completely drops records, even if it can't parse them... > > > > = > > > > That theory can be tested by using: > > > > = > > > > ausearch --start this-week --debug > /dev/null > > > > = > > > > Anything that gets tossed out will be reported to stderr. > > > = > > > I'm getting indeed quite a lot of skipped event: > > > = > > > Malformed event skipped, rc=3D7. type=3DLOGIN > > > msg=3Daudit(1402934401.462:1626): pid=3D1719 uid=3D0 old-auid=3D42949= 67295 > > > new-auid=3D0 old-ses=3D4294967295 new-ses=3D121 res=3D1 > > = > > This feel like 2 clear bugs. > > = > > 1) The kernel records for LOGIN are 'malformed' in 3.14. > = > Was the patch sent to stable? If not, could it be? To the best of my knowledge, no. This sounds reasonable. > > 2) Userspace silently throws records which are 'malformed' away, instead > > of just printing them... > > = > > ausearch -m LOGIN should be able to display these things... > = > The problem is that all of the utilities are expecting fields with certai= n = > names in a certain order. Moving them around or changing them breaks thin= gs. = > When we add work-arounds, it causes the utilities to run slower because i= t = > tries one method and then another. When you run test cases that parse 100= Gb = > of logs, you'll see the effects of the work-arounds because the search ta= kes = > minutes rather than seconds. The utilities are tuned for the massive logs= use = > case. > = > The particular code in question, ausearch-parse.c is used by both aurepor= t and = > ausearch. It does not have a concept of completing search criteria and ju= st = > dumping the record out. There might be something that can be done here, b= ut = > lots a changes risks breaking things in subtle ways. > = > -Steve > = > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,= Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545