From mboxrd@z Thu Jan  1 00:00:00 1970
From: Burn Alting <burn@swtf.dyndns.org>
Subject: Found (and fixed) ausearch checkpoint bug
Date: Sun, 23 Dec 2018 10:01:43 +1100
Message-ID: <ffa2dd8f49bef286eeeae6bdd24ef42cf734e419.camel@swtf.dyndns.org>
Reply-To: burn@swtf.dyndns.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0659532886554730072=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com
	[10.5.110.30])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 487146090E
	for <linux-audit@redhat.com>; Sat, 22 Dec 2018 23:11:31 +0000 (UTC)
Received: from mail.swtf.dyndns.org (124-171-156-127.dyn.iinet.net.au
	[124.171.156.127])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 4E527356CA
	for <linux-audit@redhat.com>; Sat, 22 Dec 2018 23:11:30 +0000 (UTC)
Received: from mail.swtf.dyndns.org (localhost [127.0.0.1])
	by mail.swtf.dyndns.org (Postfix) with ESMTP id B3EC6203002B
	for <linux-audit@redhat.com>; Sun, 23 Dec 2018 10:01:48 +1100 (AEDT)
Received: from mail.swtf.dyndns.org ([127.0.0.1])
	by mail.swtf.dyndns.org (mail.swtf.dyndns.org [127.0.0.1]) (amavisd-new,
	port 10026) with ESMTP id wylygsnkuNhd for <linux-audit@redhat.com>;
	Sun, 23 Dec 2018 10:01:44 +1100 (AEDT)
Received: from swtf.swtf.dyndns.org (swtf.swtf.dyndns.org [192.168.2.220])
	by mail.swtf.dyndns.org (Postfix) with ESMTPSA id 8A1F5203002A
	for <linux-audit@redhat.com>; Sun, 23 Dec 2018 10:01:44 +1100 (AEDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============0659532886554730072==
Content-Type: multipart/alternative; boundary="=-tWE1MEsJZlw6QWhZO5RY"


--=-tWE1MEsJZlw6QWhZO5RY
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

When running ausearch against a single file with the --checkpoint option, the file's
device number and inode are not recorded in the resultant checkpoint file.

That is for the most recent released audit package
   [root@auditdtest audit-userspace]# rpm -q audit
   audit-3.0-0.5.20181218gitbdb72c0.fc29.x86_64

We see the error via
   [root@auditdtest audit-userspace]# rm -f /tmp/checkpoint.txt; ausearch --input
   /var/log/audit/audit.log.2 --checkpoint /tmp/checkpoint.txt > /dev/null; cat
   /tmp/checkpoint.txt
   dev=0x0
   inode=0
   output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514

Which is incorrect. The following is correct.
   [root@auditdtest audit-userspace]# rm -f
   /tmp/checkpoint.txt;  ./src/.libs/ausearch --input /var/log/audit/audit.log.2 --
   checkpoint /tmp/checkpoint.txt > /dev/null; cat /tmp/checkpoint.txt
   dev=0xFD00
   inode=25326469
   output=auditdtest.auditd.test.dom 1545477871.508:116403 0x514
   [root@auditdtest audit-userspace]# 

A Pull Request with the fix has been submitted on github - 
https://github.com/linux-audit/audit-userspace/pull/77

Regards
Burn



--=-tWE1MEsJZlw6QWhZO5RY
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html dir=3D"ltr"><head></head><body style=3D"text-align:left; direction:lt=
r;"><div>When running ausearch against a single file with the --checkpoint =
option, the file's device number and inode are not recorded in the resultan=
t checkpoint file.</div><div><br></div><div>That is for the most recent rel=
eased audit package</div><div style=3D"margin-left: 3ch;"><div>[<a href=3D"=
mailto:root@auditdtest">root@auditdtest</a> audit-userspace]# rpm -q audit<=
/div><div>audit-3.0-0.5.20181218gitbdb72c0.fc29.x86_64</div></div><div><br>=
</div><div>We see the error via</div><div style=3D"margin-left: 3ch;"><div>=
[<a href=3D"mailto:root@auditdtest">root@auditdtest</a> audit-userspace]# r=
m -f /tmp/checkpoint.txt; ausearch --input /var/log/audit/audit.log.2 --che=
ckpoint /tmp/checkpoint.txt &gt; /dev/null; cat /tmp/checkpoint.txt</div><d=
iv>dev=3D0x0</div><div>inode=3D0</div><div>output=3Dauditdtest.auditd.test.=
dom 1545477871.508:116403 0x514</div></div><div><br></div><div>Which is inc=
orrect. The following is correct.</div><div style=3D"margin-left: 3ch;"><di=
v>[<a href=3D"mailto:root@auditdtest">root@auditdtest</a> audit-userspace]#=
 rm -f /tmp/checkpoint.txt;&nbsp;&nbsp;./src/.libs/ausearch --input /var/lo=
g/audit/audit.log.2 --checkpoint /tmp/checkpoint.txt &gt; /dev/null; cat /t=
mp/checkpoint.txt</div><div>dev=3D0xFD00</div><div>inode=3D25326469</div><d=
iv>output=3Dauditdtest.auditd.test.dom 1545477871.508:116403 0x514</div><di=
v>[<a href=3D"mailto:root@auditdtest">root@auditdtest</a> audit-userspace]#=
&nbsp;</div></div><div></div><div><br></div><div>A Pull Request with the fi=
x has been submitted on github - <a href=3D"https://github.com/linux-audit/=
audit-userspace/pull/77">https://github.com/linux-audit/audit-userspace/pul=
l/77</a></div><div><br></div><div>Regards</div><div>Burn</div><div><br></di=
v><div><br></div></body></html>

--=-tWE1MEsJZlw6QWhZO5RY--


--===============0659532886554730072==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0659532886554730072==--