On 5/17/22 16:41, Steve Grubb wrote:
Hello,
On Thursday, May 12, 2022 4:01:34 AM EDT Sam Pinkus wrote:
> I'm using auditd=1:2.8.4-3 on Debian. I got this event in my audit.log:
>
>
> ...
> type=SYSCALL msg=audit(16523210---): arch=c000003e syscall=87 success=yes
> exit=0 a0=7f867d66a3ed a1=7f867d66a3ed a2=0 a3=792f18 items=2 ppid=2275
> pid=16746 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
> egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=4C5320546872656164
> exe="/usr/lib/firefox-esr/firefox-esr" subj==unconfined
key="delete"
> type=CWD msg=audit(1652321038.100:23444): cwd="/home/sam"
> type=PATH msg=audit(1652321038.100:23444): item=0
> name="/home/sam/.mozilla/firefox/baey2He4.default/" inode=15861713
> dev=fe:01 mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT
> cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH
> msg=audit(1652321038.100:23444): item=1
> name="/home/sam/.mozilla/firefox/baey2He4.default/webappsstore.sqlite-wal"
> inode=15860647 dev=fe:01 mode=0100644 ouid=1000 ogid=1000 rdev=00:00
> nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=PROCTITLE msg=audit(1652321038.100:23444):
> proctitle="/usr/lib/firefox-esr/firefox-esr"
>
> I.e. there is an incomplete timestamp and no event ID in the first line of
> the event "16523210---".
I have never seen such a problem. Looking at both the kernel and userspace
code, I do not see what could prossibly do this. There is no code with
exactly 3 dashes in the audit user space or kernel.
I see "subj==" which I do not think is correct. Are you certain the
event was not manipulated after the fact?
LCB
--
Lenny Bruzenak
MagitekLTD