On Monday, December 01, 2014 09:51:47 PM Richard Guy Briggs wrote: > On 14/12/01, Steve Grubb wrote: > > On Monday, November 24, 2014 08:23:26 PM Guillaume Destuynder wrote: > > > on our RHEL6 machines, with kernel 2.6.32, we noticed that sometimes an > > > audit message comes in but libaudit does not see it as the same event. > > > > > > The milliseconds field of the timestamp differs (but the timestamp > > > seconds and event serial are identical). > > > > This seems to be a bug in the kernel code. Its a fundamental principle > > that all records that make up an event have the same time stamp and serial > > number. > > Is it? I don't know if there is any value in serializing the parts that > make up one event.
Yes it is. This is a day 1 design decision. The serial number is to differentiate events within the same millisecond. Its not to be an identifier that alone is used for serialization. Without this ordering, we cannot glue all the parts of the event back together because the kernel _itself_ does not serialize events. Events can come out intermingled. The original design: https://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.5-rc1/2.6.5-rc1-mm2/broken-out/lightweight-auditing-framework.patch excerpt: The timestamp of the record and this serial number are used by the user-space daemon to determine which pieces belong to the same audit record. The (timestamp,serial) tuple is unique for each syscall and is live from syscall entry to syscall exit. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
