On Monday 22 September 2008 20:57:59 Miloslav Trmač wrote: > LC Bruzenak píše v Po 22. 09. 2008 v 19:38 -0500: > > On Mon, 2008-09-22 at 23:30 +0000, Miloslav Trmač wrote: > > > > node=hugo type=AVC msg=audit(0.000:6760): <SNIP> comm="lockd" > > > > > > I'm curious how this audit record could have been created (notabile is > > > that the previous record has a sequence ID 6758 and a reasonable > > > timestamp). Lenny, Steve, any ideas? > > > > I found a couple more: > > > > [EMAIL PROTECTED] ~]# grep "(0.000:" /var/log/audit/audit.log* > > <SNIP> type=AVC msg=audit(0.000:6760): <SNIP> comm="lockd" > > <SNIP> type=AVC msg=audit(0.000:381): <SNIP> comm="nfsd4" > > I think I can see what's going on. Those are kernel threads; when they > are created, an audit context is created and zeroed. The timestamp is > set on system call entry in ordinary threads, but there is no system > call entry in kernel threads, so the original zero timestamp is used in > all audit records related to kernel threads. > > I'm not sure how to fix it, though. Perhaps identify "operation start" > points in kernel threads, and update the timestamps in their audit > contexts at that time?
Eric, Al, Any ideas how to fix this? Thanks, -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
