Audit record emission
Chris Wright
chrisw at osdl.org
Thu May 5 20:39:43 UTC 2005
* Steve Grubb (sgrubb at redhat.com) wrote:
> On Thursday 05 May 2005 15:42, Stephen Smalley wrote:
> > For all other audit generation, it should all occur from audit_log_exit
> > IIUC.
>
> That's kind of what I'm counting on.
>
> > However, audit_log_exit() presently uses several
> >audit_log_start()...audit_log_end() sequences rather than a single one,
> > which does split up the syscall audit record information.
>
> I don't think this explains what we saw in the records. The records seemed
> like they had multiple parts, were intertwined, and separated by a long
> distance. Here is a sample:
This is partly possible because a single message (i.e. a single
audit_log_start...audit_log_end sequence) can span skb's. There's no
serialization so skb's can easily become interleaved. And, auditd will
drop subsequent skb's because the netlink header is bogus. I'll send
out the updates I have to this area shortly. I'm interested if it helps.
> type=KERNEL msg=audit(1114290222.457:10672815): syscall=83 arch=c000003e
> success=yes exit=0 a0=7fbffffb80 a1=1ff a2=402136 a3=0 items=1 pid=22754
> loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="stress1_test"
> exe=/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress1_test
> type=KERNEL msg=audit(1114290222.582:10674541): item=0 name="stress2_dir"
> inode=3440760 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
> type=KERNEL msg=audit(1114290222.581:10674530): item=0 name="stress2_dir"
> type=KERNEL msg=audit(1114290222.579:10674506): syscall=90 arch=c000003e
> success=no exit=-2 a0=7fbffffc30 a1=0 a2=ffffffffffffffc0 a3=7 items=1
> pid=22791 loginuid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> sgid=500 fsgid=500 comm="stress2_test"
> exe=/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress2_test
> type=KERNEL msg=audit(1114290222.559:10673854): item=0 name="stress1_dir"
> inode=3441012 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
> type=KERNEL msg=audit(1114290222.558:10673842): item=0 name="stress1_dir"
> inode=3441012 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
> type=KERNEL msg=audit(1114290222.557:10673830): item=0 name="stress1_dir"
> inode=3441012 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
> type=KERNEL msg=audit(1114290222.556:10673818): item=0 name="stress1_dir"
> inode=3441012 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
> type=KERNEL msg=audit(1114290222.555:10673807): syscall=84 arch=c000003e
> success=yes exit=0 a0=7fbffffb80 a1=3a834c1d99 a2=3a834c1d99
> a3=5f31737365727473 items=1 pid=22754 loginuid=500 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 comm="stress1_test"
> exe=/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress1_test
> type=KERNEL msg=audit(1114290222.543:10673805): item=0 name="stress1_dir"
> inode=3440760 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
> type=KERNEL msg=audit(1114290222.542:10673795): item=0 name="stress1_dir"
> inode=3440760 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
> type=KERNEL msg=audit(1114290222.541:10673794): item=0 name="stress1_dir"
> inode=3441012 dev=fd:00 mode=040755 uid=0 gid=0 rdev=00:00
> type=KERNEL msg=audit(1114290222.541:10673783): syscall=84 arch=c000003e
> success=yes exit=0 a0=7fbffffb80 a1=3a834c1d99 a2=3a834c1d99
> a3=5f31737365727473 items=1 pid=22754 loginuid=500 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 comm="stress1_test"
> exe=/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress1_test
>
> The second record has a serial of 10674541. Where's the rest of it? Kris has a
> stress test that generated these records.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list