On 14/06/17, Eric Paris wrote: > On Tue, 17 Jun 2014 16:09:32 +0200 > Laurent Bigonville <bi...@debian.org> wrote: > > Le Tue, 17 Jun 2014 09:29:21 -0400, > > Steve Grubb <sgr...@redhat.com> a écrit : > > > > > On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote: > > [...] > > > > I'd call this a pretty clear userspace bug where it just > > > > completely drops records, even if it can't parse them... > > > > > > That theory can be tested by using: > > > > > > ausearch --start this-week --debug > /dev/null > > > > > > Anything that gets tossed out will be reported to stderr. > > > > I'm getting indeed quite a lot of skipped event: > > > > Malformed event skipped, rc=7. type=LOGIN > > msg=audit(1402934401.462:1626): pid=1719 uid=0 old-auid=4294967295 > > new-auid=0 old-ses=4294967295 new-ses=121 res=1 > > This feel like 2 clear bugs. > > 1) The kernel records for LOGIN are 'malformed' in 3.14.
Yes. That's why it got fixed for 3.15. 5ee9a75 audit: fix dangling keywords in audit_log_set_loginuid() output introduced it between 3.13 and 3.14-rc1 aa589a1 audit: remove superfluous new- prefix in AUDIT_LOGIN messages fixed it between 3.14 and 3.15-rc1 So it is fine in 3.15. > 2) Userspace silently throws records which are 'malformed' away, instead > of just printing them... So according to Linus, we (I) violated the "thou shalt not break userspace" golden rule with the second patch. But it was already broken according to Steve which is why the first patch was submitted. > ausearch -m LOGIN should be able to display these things... Agreed. One lesson here? Let's get a minimum useful subset of http://people.redhat.com/sgrubb/audit/audit-parse.txt into linux-2.6/Documentation/ tree to try to avoid this issue in the future. - RGB -- Richard Guy Briggs <rbri...@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit