Weird issues in 2.6.5
Chris Nandor
pudge at pobox.com
Wed Jul 13 15:47:58 UTC 2016
Hi, I had some odd behavior to report.
I am running ubuntu 12.04. Using the default auditd and audispd-plugins
packages for my release, I was able to get logs sent to local syslog and to
a remote auditd server (same basic configuration), but the entries were
being buffered somewhere (I think on the client side), and if the server
died reconnections didn't happen.
So, I wanted a more recent version, so I compiled audit-userspace from the
github src mirror,* trunk at 1341.
When I did, I got some weird results. For example, I expected got
something like this in my audit.log:
node=host.example.com type=CWD msg=audit(1468363871.644:3279856):
cwd="/etc/audisp"
And that was as expected. In syslog, I expected to get:
Jul 13 08:34:53 host audispd: node=host.loc.example.com type=CWD
msg=audit(1468363871.644:3279856): cwd="/etc/audisp"
But instead, I got:
Jul 13 08:34:53 host audispd: type=CWD msg=node=host.loc.example.com
type=CWD msg=audit(1468363871.644
As you can see, the whole thing was prepended with "type=CWD msg=", and the
line was truncated. Similarly, on the remote host, I got the same thing:
type=CWD msg=node=host.loc.example.com type=CWD msg=audit(1468363871.644
I noticed that the most recent version of the src for ubuntu was 2.4.5, so
I grabbed the src tarball from packages.ubuntu and built it, and now
everything looks fine. The exact same line I see in my audit.log shows up
in the remote audit.log, with no buffering. When I restart the remote
auditd server or client, it reconnects. syslog has same entry (prepended
with the timestamp etc.). Everything seems happy now.
*For some reason I had to define `CC_FOR_BUILD=gcc` in my shell when I ran
`make` from the svn/git src. I did not require this when building 2.4.5
from the ubuntu src.
--Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160713/484ea0b0/attachment.htm>
More information about the Linux-audit
mailing list