Weird issues in 2.6.5

[Chris Nandor]

Hi, I had some odd behavior to report.

I am running ubuntu 12.04.  Using the default auditd and audispd-plugins
packages for my release, I was able to get logs sent to local syslog and to
a remote auditd server (same basic configuration), but the entries were
being buffered somewhere (I think on the client side), and if the server
died reconnections didn't happen.

So, I wanted a more recent version, so I compiled audit-userspace from the
github src mirror,* trunk at 1341.

When I did, I got some weird results.  For example, I expected got
something like this in my audit.log:

  node=host.example.com type=CWD msg=audit(1468363871.644:3279856):
 cwd="/etc/audisp"

And that was as expected.  In syslog, I expected to get:

  Jul 13 08:34:53 host audispd: node=host.loc.example.com type=CWD
msg=audit(1468363871.644:3279856):  cwd="/etc/audisp"

But instead, I got:

  Jul 13 08:34:53 host audispd: type=CWD msg=node=host.loc.example.com
type=CWD msg=audit(1468363871.644

As you can see, the whole thing was prepended with "type=CWD msg=", and the
line was truncated.  Similarly, on the remote host, I got the same thing:

  type=CWD msg=node=host.loc.example.com type=CWD msg=audit(1468363871.644

I noticed that the most recent version of the src for ubuntu was 2.4.5, so
I grabbed the src tarball from packages.ubuntu and built it, and now
everything looks fine.  The exact same line I see in my audit.log shows up
in the remote audit.log, with no buffering.  When I restart the remote
auditd server or client, it reconnects.  syslog has same entry (prepended
with the timestamp etc.).  Everything seems happy now.


*For some reason I had to define `CC_FOR_BUILD=gcc` in my shell when I ran
`make` from the svn/git src.  I did not require this when building 2.4.5
from the ubuntu src.


--Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160713/484ea0b0/attachment.htm>