On Sunday, May 12, 2013 09:30:48 AM Burn Alting wrote: > Hmmm ... lets try that again with the correct and working patch.
Applied with one change. I also looked for more instances of the same coding pattern and fixed several more. Thanks for reporting this. -Steve > On Sun, 2013-05-12 at 09:14 +1000, Burn Alting wrote: > > And the trivial patch to fix is attached. > > > > Also in the patch is a minor fix to display the clone flag value of 0 as > > 0x0 for consistency. > > > > On Sat, 2013-05-11 at 10:42 +1000, Burn Alting wrote: > > > Steve, > > > > > > Before I send my patches out, I noticed in some testing of the svn code, > > > that some interpretation of the a2 and a3 keys has resulted in null > > > output if the raw data was 0. For example > > > > > > raw: > > > node=swtf5.swtf.dyndns.org type=SYSCALL > > > msg=audit(1367146452.398:27817): arch=c000003e syscall=45 > > > success=no exit=-11 a0=6 a1=2546a04 a2=1000 a3=0 items=0 > > > ppid=798 pid=1227 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 > > > egid=42 sgid=42 fsgid=42 ses=1 tty=(none) comm="gnome-shell" > > > exe=2F7573722F62696E2F676E6F6D652D7368656C6C202864656C6574656429 > > > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key="all" > > > > > > 2.3 output > > > > > > < node=swtf5.swtf.dyndns.org type=SYSCALL msg=audit(04/28/2013 > > > 20:54:12.398:27817) : arch=x86_64 syscall=recvfrom success=no > > > exit=-11(Resource temporarily unavailable) a0=0x6 a1=0x2546a04 > > > a2=0x1000 a3=0x0 items=0 ppid=798 pid=1227 auid=gdm uid=gdm > > > gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm > > > ses=1 tty=(none) comm=gnome-shell exe=/usr/bin/gnome-shell > > > (deleted) subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=all > > > --- > > > > > > svn > > > > > > > node=swtf5.swtf.dyndns.org type=SYSCALL msg=audit(04/28/2013 > > > > > > 20:54:12.398:27817) : arch=x86_64 syscall=recvfrom success=no > > > exit=-11(Resource temporarily unavailable) a0=0x6 a1=0x2546a04 > > > a2=0x1000 a3= items=0 ppid=798 pid=1227 auid=gdm uid=gdm gid=gdm > > > euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm ses=1 > > > tty=(none) comm=gnome-shell exe=/usr/bin/gnome-shell (deleted) > > > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=all > > > > > > This appears to occur for recvfrom, sendmsg, sendto. I've yet to look > > > for other syscalls that it effects. > > > > > > Rgds > > > > > > On Tue, 2013-05-07 at 19:29 +1000, Burn Alting wrote: > > > > Thanks Steve, > > > > > > > > I will check it out and re-fit patches over the next few days and > > > > submit > > > > individual patches for review. > > > > > > > > Rgds > > > > > > > > Burn > > > > > > > > On Mon, 2013-05-06 at 18:04 -0400, Steve Grubb wrote: > > > > > On Monday, May 06, 2013 09:53:40 AM Steve Grubb wrote: > > > > > > > - a new option will print out more parser friendly > > > > > > > output for > > > > > > > interpreted mode > > > > > > > > > > > > I am in the midst of coalescing the interpreters into one. I know > > > > > > this > > > > > > sounds crazy, but ausearch and auparse both had independent > > > > > > copies of > > > > > > nearly the same material. The problem was they both keep data > > > > > > formatted > > > > > > completely different and that made combining them a challenge. I > > > > > > think > > > > > > auparse has a faster lookup algorithm but it allocates memory for > > > > > > the > > > > > > translation. So, I hope they cancel each other out. > > > > > > > > > > > > My point in mentioning this is that I am probably in the middle of > > > > > > changing > > > > > > code you hooked into. The work is checked in but still in > > > > > > progress. The > > > > > > first step was to create a common API for 3 functions used in > > > > > > translating > > > > > > fields. (This is checked in.) The next step is to link ausearch > > > > > > against > > > > > > auparse with the ausearch functions commented out. The final step > > > > > > is to > > > > > > remove all the unneeded code from ausearch. (I should be doing > > > > > > this today.) > > > > > > > > > > All changes are checked into svn for this interpreter switch over. > > > > > So far my testing shows that although ausearch malloc/frees about 6 > > > > > times as much as it used to, the lookup algorithms in auparse are > > > > > superior and we actually have about a 20% speed improvement in the > > > > > outputting of interpreted results. Searching is not any faster. > > > > > > > > > > At this point, the code should be stable in this area if you want to > > > > > retest > > > > > and start sending patches. > > > > > > > > > > Thanks, > > > > > -Steve > > > > > > > > -- > > > > Linux-audit mailing list > > > > [email protected] > > > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > > > -- > > > Linux-audit mailing list > > > [email protected] > > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > -- > > Linux-audit mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
