From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: When is EOE generated?
Date: Thu, 12 Sep 2019 08:55:40 -0400
Message-ID: <2241113.VGNmPeWy4c@x2>
References: <bd4b2f99-89a0-4d59-aeb9-a97be31b0445@www.fastmail.com>
	<15531009.1YdTc8d0Yq@x2>
	<a66ead37-2959-448a-a688-838f58798ce5@www.fastmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <a66ead37-2959-448a-a688-838f58798ce5@www.fastmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Giovanni Panepinto <gpanepinto@fastmail.fm>
Cc: Matthew Bobrowski <mbobrowski@mbobrowski.org>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, September 11, 2019 8:59:32 PM EDT Giovanni Panepinto wrote:
> Thanks for the response Steve.
> 
> What exact criteria the deamon uses when it strips EOE?

Is it going to disk? If so, its stripped.

> Is it purely based on the size of the event or remaining disk space or?
> 
> That leads me to the next question, can I force it to log EOE regardless?

You can always modify the audit daemon's source code.  Just remove the "if" 
statement here:

https://github.com/linux-audit/audit-userspace/blob/master/src/auditd.c#L283

so that it always calls handle_event() which write it to disk. But that leads 
me to the question of why would you need to do that? Is auparse not working 
for you?

-Steve

> > On Tuesday, September 10, 2019 11:55:58 PM EDT Giovanni Panepinto wrote:
> > > According to
> > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/
> > > 6/h
> > > tml/security_guide/sec-audit_record_types , the record EOE gets
> > > generated
> > > to represent "the end of a multi-record event."
> > > 
> > > In my audit logs, I can see that for some events, EOE doesn't get
> > > generated.
> > 
> > <snip>
> > 
> > > So my question is, what defines a multi-record event? And why is EOE
> > > not
> > > generated when I create a file under /usr/local/bin?
> > 
> > The EOE record is stripped by the audit daemon to save disk space. The
> > audit libraries and utilities use heuristics to determine the end of an
> > event. So, if you are parsing events with auparse, it will figure out
> > the end of the event and group all related records for you. The EOE
> > record is passes along to the real time interface just in case it helps
> > to mark an event complete before the heuristics determine it is
> > complete.
> > 
> > -Steve