On Tuesday, June 17, 2014 10:55:42 AM Richard Guy Briggs wrote:
> This feel like 2 clear bugs.
>
> 1) The kernel records for LOGIN are 'malformed' in 3.14.
Yes. That's why it got fixed for 3.15.
5ee9a75 audit: fix dangling keywords in audit_log_set_loginuid() output
introduced it between 3.13 and 3.14-rc1
aa589a1 audit: remove superfluous new- prefix in AUDIT_LOGIN messages
fixed it between 3.14 and 3.15-rc1
So it is fine in 3.15.
We need this fixed in current kernels. Its a low risk patch that fixes this
problem for a lot of people.
> 2) Userspace silently throws records which are
'malformed' away, instead
> of just printing them...
So according to Linus, we (I) violated the "thou shalt not break
userspace" golden rule with the second patch.
But it was already broken according to Steve which is why the first
patch was submitted.
> ausearch -m LOGIN should be able to display these things...
Agreed.
One lesson here? Let's get a minimum useful subset of
http://people.redhat.com/sgrubb/audit/audit-parse.txt into
linux-2.6/Documentation/ tree to try to avoid this issue in the future.
I'd like to reformat that before putting it in the linux kernel. It needs to
be written from a generic howto perspective and not a library design
perspective. Although that document is what has guided audit event design for
about 8 or 9 years.
-Steve