Re: aulast only displaying reboot pseudo-users
On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
My guess is that userspace just throws away record where it
doesn't find
the auid= and ses= and you kernel happens to live in those couple of
months were it had "new-ses" and "new-auid"
Was this patch sent to stable? The audit code tries to handle the old way and
the new way:
https://fedorahosted.org/audit/browser/trunk/tools/aulast/aulast.c#L175
But I thought the patch went to stable to prevent breaking user space. This is
only one issue. I am seeing duplicate and missing events between systemd, gdm,
and lightdm.
I'd call this a pretty clear userspace bug where it just
completely
drops records, even if it can't parse them...
That theory can be tested by using:
ausearch --start this-week --debug > /dev/null
Anything that gets tossed out will be reported to stderr.
-Steve