Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

BUG: records from one event not grouped together #86

Closed
rgbriggs opened this issue Mar 19, 2019 · 3 comments
Closed

BUG: records from one event not grouped together #86

rgbriggs opened this issue Mar 19, 2019 · 3 comments
Labels
bug priority/medium

Comments

@rgbriggs
Copy link
Contributor

rgbriggs commented Mar 19, 2019
edited
Loading

In recent testing of events for ghak90 and ghak110 it has been noticed that ausearch isn't grouping all the records of one event together even though the date/time/serial stamps are identical. It may be related to the fact that both records are in the 1000 block.

ghak90:

type=CONTAINER_OP msg=audit(2019-03-19 15:40:06.141:235) : op=set opid=698 old-contid=18446744073709551615 contid=123455 pid=698 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=test.sh exe=/usr/bin/bash res=yes 
----
type=CONTAINER_ID msg=audit(2019-03-19 15:40:06.141:235) : contid=123455 
type=PROCTITLE msg=audit(2019-03-19 15:40:06.141:235) : proctitle=/bin/sh ./test.sh 
type=SYSCALL msg=audit(2019-03-19 15:40:06.141:235) : arch=x86_64 syscall=write success=yes exit=7 a0=0x1 a1=0x55e34362ceb0 a2=0x7 a3=0xa items=0 ppid=676 pid=698 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=test.sh exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
----

ghak110:

time->Tue Mar 19 12:23:15 2019
type=LOGIN msg=audit(1553012595.401:219): pid=647 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=ttyS0 old-ses=4294967295 ses=1 res=1
----
time->Tue Mar 19 12:23:15 2019
type=PROCTITLE msg=audit(1553012595.401:219): proctitle=2F62696E2F6C6F67696E002D70002D2D0020202020
type=SYSCALL msg=audit(1553012595.401:219): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff3fb13380 a2=1 a3=0 items=0 ppid=1 pid=647 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/#" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
----
@rgbriggs
Copy link
Contributor Author

rgbriggs commented Apr 10, 2019
edited
Loading

This is due to the range conditions in src/ausearch-lol.c:check_events()

@rgbriggs
Copy link
Contributor Author

post v1 upstream: https://www.redhat.com/archives/linux-audit/2020-June/msg00061.html

rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Jun 26, 2020
@rgbriggs
allow LOGIN event record to be grouped with its SYSCALL record
0ccd050 
See the upstream issues
	linux-audit#86

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Nov 26, 2020
@rgbriggs
allow LOGIN event record to be grouped with its SYSCALL record
35c9fba 
See the upstream issues
	linux-audit#86

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Dec 16, 2020
@rgbriggs
allow LOGIN event record to be grouped with its SYSCALL record
316ce24 
LOGIN records were not grouped with the rest of their event, records with the
identical timestamp and serial number:

----
time->Tue Mar 19 12:23:15 2019
type=LOGIN msg=audit(1553012595.401:219): pid=647 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=ttyS0 old-ses=4294967295 ses=1 res=1
----
time->Tue Mar 19 12:23:15 2019
type=PROCTITLE msg=audit(1553012595.401:219): proctitle=2F62696E2F6C6F67696E002D70002D2D0020202020
type=SYSCALL msg=audit(1553012595.401:219): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff3fb13380 a2=1 a3=0 items=0 ppid=1 pid=647 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/#" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
----

Tidy up the list/ranges of records to be in ascending order for easier parsing
and updating by humans.

See the upstream issues
	linux-audit#86

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Dec 16, 2020
@rgbriggs
allow LOGIN event record to be grouped with its SYSCALL record
1e7f32e 
LOGIN records were not grouped with the rest of their event, records with the
identical timestamp and serial number:

----
time->Tue Mar 19 12:23:15 2019
type=LOGIN msg=audit(1553012595.401:219): pid=647 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=ttyS0 old-ses=4294967295 ses=1 res=1
----
time->Tue Mar 19 12:23:15 2019
type=PROCTITLE msg=audit(1553012595.401:219): proctitle=2F62696E2F6C6F67696E002D70002D2D0020202020
type=SYSCALL msg=audit(1553012595.401:219): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff3fb13380 a2=1 a3=0 items=0 ppid=1 pid=647 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/#" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
----

Tidy up the list/ranges of records to be in ascending order for easier parsing
and updating by humans.

See the upstream issues
	linux-audit#86

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
@rgbriggs rgbriggs mentioned this issue Dec 16, 2020
Closed
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Dec 18, 2020
@rgbriggs
allow LOGIN event record to be grouped with its SYSCALL record
c30bbde 
See the upstream issues
	linux-audit#86

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
@stevegrubb
Copy link
Contributor

Closing this out since there is a PR for this.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug priority/medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rgbriggs @stevegrubb