I just reran the stress test using audit 8-1 and the .40 kernel, and I have
a question
about the continuation of records from one log file to another.
End of audit.log.1:
type=PATH msg=audit(1116457159.607:12637620): item=0 name="stress2_dir"
type=SYSCALL msg=audit(1116457159.607:12637620): syscall=90 arch=c000003e success=no
exit=-2 a0=7fbffffb80 a1=0 a2=ffffffffffffffc0 a3=7 items=1
pid=24388 loginuid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 comm="stress2_test"
exe="/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress2_test"
type=PATH msg=audit(1116457159.607:12637634): item=0 name="stress2_dir"
inode=5111949 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
Start of audit.log.2:
type=PATH msg=audit(1116457158.064:12321219): item=0 name="stress1_dir"
inode=5111949 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1116457158.064:12321219): syscall=83 arch=c000003e success=yes
exit=0 a0=7fbffffbe0 a1=1ff a2=402136 a3=0 items=1 pid=24343
loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="stress1_test"
exe="/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress1_test"
type=PATH msg=audit(1116457158.064:12321233): item=0 name="stress1_dir"
inode=5111963 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
Start of audit.log:
type=SYSCALL msg=audit(1116457159.607:12637634): syscall=84 arch=c000003e success=no
exit=-2 a0=7fbffffb80 a1=2 a2=ffffffffffffffc0
a3=5f32737365727473 items=1 pid=24388 loginuid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 comm="stress2_test"
exe="/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress2_test"
I was expecting the SYSCALL line for (1116457159.607:12637634) at the start
of audit.log.2,
but it is at the start of audit.log. Can you explain the rotation order to
me? Thanks!
Kris Wilson
Linux Security
(512) 838-0126 T/L:678-0126
krisw(a)us.ibm.com