corrupted audit messages
Here's some example of what I'm seeing (from auditd):
type=KERNEL msg=audit(1106620862.749:4026): syscall=2 exit=3 a0=7ffffffffa44 a1=0
a2=7ffffffff7e8 a3=1 items=1 pid=4513 loginuid=-1 uid=23 gid=500 euid=23 suid=23 fsuid=23
egid=500 sgid=500 fsgid=500
type=KERNEL msg=audit(1106620862.749:4026): item=0 name=/dev/null inode=5457 dev=01:03
inode=8652144 dev=00:00d=4457 loginuid=-1 uid=23 gid=500 euid=23 suid=23 fsuid=23 egid=500
sgid=500 fsgid=50000
And here's from the kernel:
skb_data(183): audit(1106620862.749:4026): syscall=2 exit=3 a0=7ffffffffa44 a1=0
a2=7ffffffff7e8 a3=1 items=1 pid=4513 loginuid=-1 uid=23 gid=500 euid=23 suid=23 fsuid=23
egid=500 sgid=500 fsgid=500
skb_data(70): audit(1106620862.749:4026): item=0 name=/dev/null
inode=5457 dev=01:03
And here's from syslog:
audit(1106676503.481:3766769): syscall=2 exit=3 a0=3eac7f97a0 a1=0 a2=0 a3=7ffffffff22a
items=1 pid=5300 loginuid=-1 uid=23 gid=500 euid=23 suid=23 fsuid=23 egid=500 sgid=500
fsgid=500
audit(1106676503.481:3766769): item=0 name=/usr/lib/locale/locale-archive inode=8652144
dev=00:00
It seems that auditd is the only one with the problem.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net