From mboxrd@z Thu Jan  1 00:00:00 1970
From: Guillaume Destuynder <gdestuynder@mozilla.com>
Subject: [PATCH] auparse.c events_are_equal() and event matching
Date: Mon, 24 Nov 2014 20:23:26 -0800
Message-ID: <5474043E.4010407@mozilla.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com
	[10.5.110.18])
	by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id sAP4NSnL020718
	for <linux-audit@redhat.com>; Mon, 24 Nov 2014 23:23:28 -0500
Received: from smtp.mozilla.org (mx1.corp.phx1.mozilla.com [63.245.216.69])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sAP4NRFZ006958
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Mon, 24 Nov 2014 23:23:27 -0500
Received: from [192.168.1.248] (c-24-6-145-126.hsd1.ca.comcast.net
	[24.6.145.126]) (Authenticated sender: gdestuynder@mozilla.com)
	by mx1.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id 0523AF225A
	for <linux-audit@redhat.com>; Mon, 24 Nov 2014 20:23:26 -0800 (PST)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,

on our RHEL6 machines, with kernel 2.6.32, we noticed that sometimes an
audit message comes in but libaudit does not see it as the same event.

The milliseconds field of the timestamp differs (but the timestamp
seconds and event serial are identical).

The check to determine if 2 messages are part of the same event is done
by events_are_equal() in auparse/auparse.c (audit userspace library).

There is a comment that indicate that this is voluntary - however, I
could not find why. I suspect this is for searches over long periods of
time when the serial may roll over.

In case this was simply overlooked I'm attaching a patch that fixes it
for us. It keeps the timestamp check for the seconds, which works fine
and would still work with serial rolling over.

Again- its relatively rare in our logs that the timestamp's millisecond
field differs and we log very heavily - so it's not that easy to reproduce.

Thanks!

Guillaume

Index: trunk/auparse/auparse.c
===================================================================
--- trunk/auparse/auparse.c   (revision 1063)
+++ trunk/auparse/auparse.c   (working copy)
@@ -752,10 +752,10 @@

 static int inline events_are_equal(au_event_t *e1, au_event_t *e2)
 {
-       // Check time & serial first since its most likely way
-       // to spot 2 different events
-       if (!(e1->serial == e2->serial && e1->milli == e2->milli &&
-                                       e1->sec == e2->sec))
+       // Check serial and timestamp - but not milliseconds
+       // as, even if rare, these may not match for the same message due to
+       // kernel processing delays
+       if (!(e1->serial == e2->serial && e1->sec == e2->sec))
                return 0;
        // Hmm...same so far, check if both have a host, only a string
        // compare can tell if they are the same. Otherwise, if only one