* The res field has a value of 1 instead of either success or fail
@ 2016-07-19 10:28 Mateusz Piotrowski
2016-07-20 9:25 ` Mateusz Piotrowski
0 siblings, 1 reply; 3+ messages in thread
From: Mateusz Piotrowski @ 2016-07-19 10:28 UTC (permalink / raw)
To: linux-audit; +Cc: Konrad Witaszczyk
[-- Attachment #1.1: Type: text/plain, Size: 1734 bytes --]
Hello,
According to this [1] and the definition of the res field here [2], the res field should have a value of either success or fail.
Here are some logs I generated on Debian:
type=USER_START msg=audit(1464013671.525:405): pid=3569 uid=0 auid=1000 ses=7 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=CONFIG_CHANGE msg=audit(1464013671.541:406): auid=1000 ses=7 op="add rule" key=(null) list=4 res=1
type=USER_END msg=audit(1464013671.549:407): pid=3569 uid=0 auid=1000 ses=7 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success’
As you can see, there is a res field which value is 1.
Is it because my auditd is outdated? Is there a missing res field which is purely numeric (just like the fields called fp [3])?
As Steve said in previous emails, it is possible and it might be fixed already. I’ll try to find out if I get similar logs with the latest auditd (2.6.5) on CentOS 6.8-i386 later.
Cheers!
-m
[1]: https://github.com/linux-audit/audit-userspace/blob/ac9384a884841ef66b4cae42884d9e63d0b6a438/auparse/typetab.h#L79-L80 <https://github.com/linux-audit/audit-userspace/blob/ac9384a884841ef66b4cae42884d9e63d0b6a438/auparse/typetab.h#L79-L80>
[2]: https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L186 <https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L186>
[3]: https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L62-L63 <https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L62-L63>
[-- Attachment #1.2: Type: text/html, Size: 2539 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: The res field has a value of 1 instead of either success or fail
2016-07-19 10:28 The res field has a value of 1 instead of either success or fail Mateusz Piotrowski
@ 2016-07-20 9:25 ` Mateusz Piotrowski
2016-07-20 13:17 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Mateusz Piotrowski @ 2016-07-20 9:25 UTC (permalink / raw)
To: linux-audit; +Cc: Konrad Witaszczyk
Hello,
> On 19 Jul 2016, at 12:28, Mateusz Piotrowski <0mp@freebsd.org> wrote:
>
> type=CONFIG_CHANGE msg=audit(1464013671.541:406): auid=1000 ses=7 op="add rule" key=(null) list=4 res=1
> As you can see, there is a res field which value is 1.
>
> Is it because my auditd is outdated? Is there a missing res field which is purely numeric (just like the fields called fp [3])?
>
> As Steve said in previous emails, it is possible and it might be fixed already. I’ll try to find out if I get similar logs with the latest auditd (2.6.5) on CentOS 6.8-i386 later.
I confirm that it is possible to generate a type=CONFIG_CHANGE record with a res=1 field on CentOS 6.8 with auditd v2.6.5.
Cheers
-m
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: The res field has a value of 1 instead of either success or fail
2016-07-20 9:25 ` Mateusz Piotrowski
@ 2016-07-20 13:17 ` Steve Grubb
0 siblings, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2016-07-20 13:17 UTC (permalink / raw)
To: linux-audit; +Cc: Konrad Witaszczyk
On Wednesday, July 20, 2016 11:25:19 AM EDT Mateusz Piotrowski wrote:
> Hello,
>
> > On 19 Jul 2016, at 12:28, Mateusz Piotrowski <0mp@freebsd.org> wrote:
> >
> > type=CONFIG_CHANGE msg=audit(1464013671.541:406): auid=1000 ses=7 op="add
> > rule" key=(null) list=4 res=1 As you can see, there is a res field which
> > value is 1.
> >
> > Is it because my auditd is outdated? Is there a missing res field which is
> > purely numeric (just like the fields called fp [3])?
No. There is inconsistency because different people do it their way without
regard for anyone who is trying to make sense of the audit trail. This is why
I have published so many specifications. I want to point to the docs and say
you have to conform. And this is also why I want to write a validation suite.
We need to find all the outliers and fix them.
-Steve
> > As Steve said in previous emails, it is possible and it might be fixed
> > already. I’ll try to find out if I get similar logs with the latest
> > auditd (2.6.5) on CentOS 6.8-i386 later.
>
> I confirm that it is possible to generate a type=CONFIG_CHANGE record with a
> res=1 field on CentOS 6.8 with auditd v2.6.5.
>
> Cheers
>
> -m
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-07-20 13:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-19 10:28 The res field has a value of 1 instead of either success or fail Mateusz Piotrowski
2016-07-20 9:25 ` Mateusz Piotrowski
2016-07-20 13:17 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox