Patch to auparse to handle out of order messages 1 of 3
Burn Alting
burn at swtf.dyndns.org
Wed Jan 6 10:29:17 UTC 2016
All,
The TODO for 2.5.1 requested
* Fix auparse to handle out of order messages
The problem was that should a stream of raw auditd logs be processed by
auparse(), then if the records that make up a single auditd event were
interleaved with each other, auparse() would 'silently' discard event
data.
Ausearch/Aureport does not have this problem as it handles such
interleaved event records. The approach to solve this problem was to
take the ausearch/aureport's list of list event record code (lol) and
incorporate it into auparse().
The following three patches address this problem.
#1 - convert the existing code to change auparse's auparse_state_t (aka
struct opaque) event_list_t element 'le' to be a pointer, so the 'lol'
code can more seamlessly fit in.
#2 - the 'lol' patch itself. Integrate the ausearch/aureport 'lol' code
into auparse() and adjust auparse() to deal with maintain an incore list
of incomplete events.
#3 - modify the standard auparse() test code.
Regards
Burn Alting
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-2.4.5-1.patch
Type: text/x-patch
Size: 14543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160106/edc2e444/attachment.bin>
More information about the Linux-audit
mailing list