From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mateusz Piotrowski <0mp@freebsd.org> Subject: The res field has a value of 1 instead of either success or fail Date: Tue, 19 Jul 2016 12:28:00 +0200 Message-ID: <1DCCD2B1-2986-49D0-A204-C9246F3E1F12@FreeBSD.org> Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Content-Type: multipart/mixed; boundary="===============3333141965654279811==" Return-path: Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u6JAS50o026453 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 19 Jul 2016 06:28:05 -0400 Received: from mail-lf0-f66.google.com (mail-lf0-f66.google.com [209.85.215.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1CB10C05AA41 for ; Tue, 19 Jul 2016 10:28:04 +0000 (UTC) Received: by mail-lf0-f66.google.com with SMTP id l89so879932lfi.2 for ; Tue, 19 Jul 2016 03:28:04 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Konrad Witaszczyk List-Id: linux-audit@redhat.com --===============3333141965654279811== Content-Type: multipart/alternative; boundary="Apple-Mail=_0ED009E4-E73C-4E23-AE88-D3741FB89507" --Apple-Mail=_0ED009E4-E73C-4E23-AE88-D3741FB89507 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello, According to this [1] and the definition of the res field here [2], the = res field should have a value of either success or fail. Here are some logs I generated on Debian: type=3DUSER_START msg=3Daudit(1464013671.525:405): pid=3D3569 uid=3D0 = auid=3D1000 ses=3D7 msg=3D'op=3DPAM:session_open acct=3D"root" = exe=3D"/usr/bin/sudo" hostname=3D? addr=3D? terminal=3D/dev/pts/1 = res=3Dsuccess' type=3DCONFIG_CHANGE msg=3Daudit(1464013671.541:406): auid=3D1000 ses=3D7 = op=3D"add rule" key=3D(null) list=3D4 res=3D1 type=3DUSER_END msg=3Daudit(1464013671.549:407): pid=3D3569 uid=3D0 = auid=3D1000 ses=3D7 msg=3D'op=3DPAM:session_close acct=3D"root" = exe=3D"/usr/bin/sudo" hostname=3D? addr=3D? terminal=3D/dev/pts/1 = res=3Dsuccess=E2=80=99 As you can see, there is a res field which value is 1. Is it because my auditd is outdated? Is there a missing res field which = is purely numeric (just like the fields called fp [3])? As Steve said in previous emails, it is possible and it might be fixed = already. I=E2=80=99ll try to find out if I get similar logs with the = latest auditd (2.6.5) on CentOS 6.8-i386 later. Cheers! -m [1]: = https://github.com/linux-audit/audit-userspace/blob/ac9384a884841ef66b4cae= 42884d9e63d0b6a438/auparse/typetab.h#L79-L80 = [2]: = https://github.com/linux-audit/audit-documentation/blob/master/specs/field= s/field-dictionary.csv#L186 = [3]: = https://github.com/linux-audit/audit-documentation/blob/master/specs/field= s/field-dictionary.csv#L62-L63 = = --Apple-Mail=_0ED009E4-E73C-4E23-AE88-D3741FB89507 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hello,

According to this [1] and the definition of the res field = here [2], the res field should have a value of either success or = fail.

Here are = some logs I generated on Debian:

type=3DUSER_START = msg=3Daudit(1464013671.525:405): pid=3D3569 uid=3D0 auid=3D1000 ses=3D7 = msg=3D'op=3DPAM:session_open acct=3D"root" exe=3D"/usr/bin/sudo" = hostname=3D? addr=3D? terminal=3D/dev/pts/1 res=3Dsuccess'
type=3DCONFIG_CHANGE msg=3Daudit(1464013671.541:406): = auid=3D1000 ses=3D7 op=3D"add rule" key=3D(null) list=3D4 res=3D1
type=3DUSER_END msg=3Daudit(1464013671.549:407): pid=3D3569 = uid=3D0 auid=3D1000 ses=3D7 msg=3D'op=3DPAM:session_close acct=3D"roo= t" exe=3D"/usr/bin/sudo" hostname=3D? addr=3D? terminal=3D/dev/pts/1 = res=3Dsuccess=E2=80=99

As you can see, there is a res field which value is = 1.

Is it = because my auditd is outdated? Is there a missing res field which is = purely numeric (just like the fields called fp [3])?

As Steve said in = previous emails, it is possible and it might be fixed already. I=E2=80=99l= l try to find out if I get similar logs with the latest auditd (2.6.5) = on CentOS 6.8-i386 later.

Cheers!

-m

[1]: https://github.com/linux-audit/audit-userspace/blob/ac9384a8848= 41ef66b4cae42884d9e63d0b6a438/auparse/typetab.h#L79-L80

[2]: https://github.com/linux-audit/audit-documentation/blob/master/= specs/fields/field-dictionary.csv#L186

[3]: https://github.com/linux-audit/audit-documentation/blob/master/= specs/fields/field-dictionary.csv#L62-L63

= --Apple-Mail=_0ED009E4-E73C-4E23-AE88-D3741FB89507-- --===============3333141965654279811== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3333141965654279811==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mateusz Piotrowski <0mp@freebsd.org> Subject: Re: The res field has a value of 1 instead of either success or fail Date: Wed, 20 Jul 2016 11:25:19 +0200 Message-ID: <68967373-F5EC-4790-B7F0-DFD35220B0A8@FreeBSD.org> References: <1DCCD2B1-2986-49D0-A204-C9246F3E1F12@FreeBSD.org> Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u6K9PN0F020941 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 20 Jul 2016 05:25:23 -0400 Received: from mail-lf0-f68.google.com (mail-lf0-f68.google.com [209.85.215.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7DA3546202 for ; Wed, 20 Jul 2016 09:25:22 +0000 (UTC) Received: by mail-lf0-f68.google.com with SMTP id 33so3253174lfw.3 for ; Wed, 20 Jul 2016 02:25:22 -0700 (PDT) In-Reply-To: <1DCCD2B1-2986-49D0-A204-C9246F3E1F12@FreeBSD.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Konrad Witaszczyk List-Id: linux-audit@redhat.com SGVsbG8sCgo+IE9uIDE5IEp1bCAyMDE2LCBhdCAxMjoyOCwgTWF0ZXVzeiBQaW90cm93c2tpIDww bXBAZnJlZWJzZC5vcmc+IHdyb3RlOgo+IAo+IHR5cGU9Q09ORklHX0NIQU5HRSBtc2c9YXVkaXQo MTQ2NDAxMzY3MS41NDE6NDA2KTogYXVpZD0xMDAwIHNlcz03IG9wPSJhZGQgcnVsZSIga2V5PShu dWxsKSBsaXN0PTQgcmVzPTEKPiBBcyB5b3UgY2FuIHNlZSwgdGhlcmUgaXMgYSByZXMgZmllbGQg d2hpY2ggdmFsdWUgaXMgMS4KPiAKPiBJcyBpdCBiZWNhdXNlIG15IGF1ZGl0ZCBpcyBvdXRkYXRl ZD8gSXMgdGhlcmUgYSBtaXNzaW5nIHJlcyBmaWVsZCB3aGljaCBpcyBwdXJlbHkgbnVtZXJpYyAo anVzdCBsaWtlIHRoZSBmaWVsZHMgY2FsbGVkIGZwIFszXSk/Cj4gCj4gQXMgU3RldmUgc2FpZCBp biBwcmV2aW91cyBlbWFpbHMsIGl0IGlzIHBvc3NpYmxlIGFuZCBpdCBtaWdodCBiZSBmaXhlZCBh bHJlYWR5LiBJ4oCZbGwgdHJ5IHRvIGZpbmQgb3V0IGlmIEkgZ2V0IHNpbWlsYXIgbG9ncyB3aXRo IHRoZSBsYXRlc3QgYXVkaXRkICgyLjYuNSkgb24gQ2VudE9TIDYuOC1pMzg2IGxhdGVyLgoKSSBj b25maXJtIHRoYXQgaXQgaXMgcG9zc2libGUgdG8gZ2VuZXJhdGUgYSB0eXBlPUNPTkZJR19DSEFO R0UgcmVjb3JkIHdpdGggYSByZXM9MSBmaWVsZCBvbiBDZW50T1MgNi44IHdpdGggYXVkaXRkIHYy LjYuNS4KCkNoZWVycwoKLW0KCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51eC1hdWRp dEByZWRoYXQuY29tCmh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9saW51 eC1hdWRpdA== From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: The res field has a value of 1 instead of either success or fail Date: Wed, 20 Jul 2016 09:17:49 -0400 Message-ID: <3334207.ycjxCksCQn@x2> References: <1DCCD2B1-2986-49D0-A204-C9246F3E1F12@FreeBSD.org> <68967373-F5EC-4790-B7F0-DFD35220B0A8@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <68967373-F5EC-4790-B7F0-DFD35220B0A8@FreeBSD.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Konrad Witaszczyk List-Id: linux-audit@redhat.com T24gV2VkbmVzZGF5LCBKdWx5IDIwLCAyMDE2IDExOjI1OjE5IEFNIEVEVCBNYXRldXN6IFBpb3Ry b3dza2kgd3JvdGU6Cj4gSGVsbG8sCj4gCj4gPiBPbiAxOSBKdWwgMjAxNiwgYXQgMTI6MjgsIE1h dGV1c3ogUGlvdHJvd3NraSA8MG1wQGZyZWVic2Qub3JnPiB3cm90ZToKPiA+IAo+ID4gdHlwZT1D T05GSUdfQ0hBTkdFIG1zZz1hdWRpdCgxNDY0MDEzNjcxLjU0MTo0MDYpOiBhdWlkPTEwMDAgc2Vz PTcgb3A9ImFkZAo+ID4gcnVsZSIga2V5PShudWxsKSBsaXN0PTQgcmVzPTEgQXMgeW91IGNhbiBz ZWUsIHRoZXJlIGlzIGEgcmVzIGZpZWxkIHdoaWNoCj4gPiB2YWx1ZSBpcyAxLgo+ID4gCj4gPiBJ cyBpdCBiZWNhdXNlIG15IGF1ZGl0ZCBpcyBvdXRkYXRlZD8gSXMgdGhlcmUgYSBtaXNzaW5nIHJl cyBmaWVsZCB3aGljaCBpcwo+ID4gcHVyZWx5IG51bWVyaWMgKGp1c3QgbGlrZSB0aGUgZmllbGRz IGNhbGxlZCBmcCBbM10pPwoKTm8uIFRoZXJlIGlzIGluY29uc2lzdGVuY3kgYmVjYXVzZSBkaWZm ZXJlbnQgcGVvcGxlIGRvIGl0IHRoZWlyIHdheSB3aXRob3V0IApyZWdhcmQgZm9yIGFueW9uZSB3 aG8gaXMgdHJ5aW5nIHRvIG1ha2Ugc2Vuc2Ugb2YgdGhlIGF1ZGl0IHRyYWlsLiBUaGlzIGlzIHdo eSAKSSBoYXZlIHB1Ymxpc2hlZCBzbyBtYW55IHNwZWNpZmljYXRpb25zLiBJIHdhbnQgdG8gcG9p bnQgdG8gdGhlIGRvY3MgYW5kIHNheSAKeW91IGhhdmUgdG8gY29uZm9ybS4gQW5kIHRoaXMgaXMg YWxzbyB3aHkgSSB3YW50IHRvIHdyaXRlIGEgdmFsaWRhdGlvbiBzdWl0ZS4gCldlIG5lZWQgdG8g ZmluZCBhbGwgdGhlIG91dGxpZXJzIGFuZCBmaXggdGhlbS4KCi1TdGV2ZQoKPiA+IEFzIFN0ZXZl IHNhaWQgaW4gcHJldmlvdXMgZW1haWxzLCBpdCBpcyBwb3NzaWJsZSBhbmQgaXQgbWlnaHQgYmUg Zml4ZWQKPiA+IGFscmVhZHkuIEnigJlsbCB0cnkgdG8gZmluZCBvdXQgaWYgSSBnZXQgc2ltaWxh ciBsb2dzIHdpdGggdGhlIGxhdGVzdAo+ID4gYXVkaXRkICgyLjYuNSkgb24gQ2VudE9TIDYuOC1p Mzg2IGxhdGVyLgo+Cj4gSSBjb25maXJtIHRoYXQgaXQgaXMgcG9zc2libGUgdG8gZ2VuZXJhdGUg YSB0eXBlPUNPTkZJR19DSEFOR0UgcmVjb3JkIHdpdGggYQo+IHJlcz0xIGZpZWxkIG9uIENlbnRP UyA2Ljggd2l0aCBhdWRpdGQgdjIuNi41Lgo+IAo+IENoZWVycwo+IAo+IC1tCj4gCj4gLS0KPiBM aW51eC1hdWRpdCBtYWlsaW5nIGxpc3QKPiBMaW51eC1hdWRpdEByZWRoYXQuY29tCj4gaHR0cHM6 Ly93d3cucmVkaGF0LmNvbS9tYWlsbWFuL2xpc3RpbmZvL2xpbnV4LWF1ZGl0CgoKCi0tCkxpbnV4 LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51eC1hdWRpdEByZWRoYXQuY29tCmh0dHBzOi8vd3d3LnJl ZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9saW51eC1hdWRpdA==