corrupted audit messages

Chris Wright chrisw at osdl.org
Tue Jan 25 18:08:18 UTC 2005


Here's some example of what I'm seeing (from auditd):

type=KERNEL msg=audit(1106620862.749:4026): syscall=2 exit=3 a0=7ffffffffa44 a1=0 a2=7ffffffff7e8 a3=1 items=1 pid=4513 loginuid=-1 uid=23 gid=500 euid=23 suid=23 fsuid=23 egid=500 sgid=500 fsgid=500

type=KERNEL msg=audit(1106620862.749:4026): item=0 name=/dev/null inode=5457 dev=01:03 inode=8652144 dev=00:00d=4457 loginuid=-1 uid=23 gid=500 euid=23 suid=23 fsuid=23 egid=500 sgid=500 fsgid=50000

And here's from the kernel:

skb_data(183): audit(1106620862.749:4026): syscall=2 exit=3 a0=7ffffffffa44 a1=0 a2=7ffffffff7e8 a3=1 items=1 pid=4513 loginuid=-1 uid=23 gid=500 euid=23 suid=23 fsuid=23 egid=500 sgid=500 fsgid=500 

skb_data(70): audit(1106620862.749:4026): item=0 name=/dev/null
inode=5457 dev=01:03


And here's from syslog:

audit(1106676503.481:3766769): syscall=2 exit=3 a0=3eac7f97a0 a1=0 a2=0 a3=7ffffffff22a items=1 pid=5300 loginuid=-1 uid=23 gid=500 euid=23 suid=23 fsuid=23 egid=500 sgid=500 fsgid=500

audit(1106676503.481:3766769): item=0 name=/usr/lib/locale/locale-archive inode=8652144 dev=00:00

It seems that auditd is the only one with the problem.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net




More information about the Linux-audit mailing list