On 14/06/17, Eric Paris wrote:
On Tue, 17 Jun 2014 16:09:32 +0200
Laurent Bigonville <bigon(a)debian.org> wrote:
> Le Tue, 17 Jun 2014 09:29:21 -0400,
> Steve Grubb <sgrubb(a)redhat.com> a écrit :
>
> > On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
> [...]
> > > I'd call this a pretty clear userspace bug where it just
> > > completely drops records, even if it can't parse them...
> >
> > That theory can be tested by using:
> >
> > ausearch --start this-week --debug > /dev/null
> >
> > Anything that gets tossed out will be reported to stderr.
>
> I'm getting indeed quite a lot of skipped event:
>
> Malformed event skipped, rc=7. type=LOGIN
> msg=audit(1402934401.462:1626): pid=1719 uid=0 old-auid=4294967295
> new-auid=0 old-ses=4294967295 new-ses=121 res=1
This feel like 2 clear bugs.
1) The kernel records for LOGIN are 'malformed' in 3.14.
Yes. That's why it got fixed for 3.15.
5ee9a75 audit: fix dangling keywords in audit_log_set_loginuid() output
introduced it between 3.13 and 3.14-rc1
aa589a1 audit: remove superfluous new- prefix in AUDIT_LOGIN messages
fixed it between 3.14 and 3.15-rc1
So it is fine in 3.15.
2) Userspace silently throws records which are 'malformed'
away, instead
of just printing them...
So according to Linus, we (I) violated the "thou shalt not break
userspace" golden rule with the second patch.
But it was already broken according to Steve which is why the first
patch was submitted.
ausearch -m LOGIN should be able to display these things...
Agreed.
One lesson here? Let's get a minimum useful subset of
http://people.redhat.com/sgrubb/audit/audit-parse.txt into
linux-2.6/Documentation/ tree to try to avoid this issue in the future.
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545