All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH ghau86] allow LOGIN event record to be grouped with its SYSCALL record
@ 2020-06-16 12:05 Richard Guy Briggs
  0 siblings, 0 replies; only message in thread
From: Richard Guy Briggs @ 2020-06-16 12:05 UTC (permalink / raw)
  To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs, eparis

LOGIN records were not grouped with the rest of their event, records with the
identical timestamp and serial number:

----
time->Tue Mar 19 12:23:15 2019
type=LOGIN msg=audit(1553012595.401:219): pid=647 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=ttyS0 old-ses=4294967295 ses=1 res=1
----
time->Tue Mar 19 12:23:15 2019
type=PROCTITLE msg=audit(1553012595.401:219): proctitle=2F62696E2F6C6F67696E002D70002D2D0020202020
type=SYSCALL msg=audit(1553012595.401:219): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff3fb13380 a2=1 a3=0 items=0 ppid=1 pid=647 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
----

Tidy up the list/ranges of records to be in ascending order for easier parsing
and updating by humans.

See the upstream issues
	https://github.com/linux-audit/audit-userspace/issues/86

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 src/ausearch-lol.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
index e70945612f79..f0f36e04dd93 100644
--- a/src/ausearch-lol.c
+++ b/src/ausearch-lol.c
@@ -246,12 +246,14 @@ static void check_events(lol *lo, time_t sec)
 			if (cur->l->e.sec + 2 <= sec) { 
 				cur->status = L_COMPLETE;
 				ready++;
-			} else if (cur->l->e.type == AUDIT_PROCTITLE ||
-				    cur->l->e.type < AUDIT_FIRST_EVENT ||
-				    cur->l->e.type >= AUDIT_FIRST_ANOM_MSG ||
-				    cur->l->e.type == AUDIT_KERNEL ||
-				    (cur->l->e.type >= AUDIT_MAC_UNLBL_ALLOW &&
-				    cur->l->e.type <= AUDIT_MAC_CALIPSO_DEL)) {
+			} else if ( cur->l->e.type <  AUDIT_LOGIN            ||
+				   (cur->l->e.type >  AUDIT_LOGIN           &&
+				    cur->l->e.type <  AUDIT_FIRST_EVENT    ) ||
+				    cur->l->e.type == AUDIT_PROCTITLE        ||
+				   (cur->l->e.type >= AUDIT_MAC_UNLBL_ALLOW &&
+				    cur->l->e.type <= AUDIT_MAC_CALIPSO_DEL) ||
+				    cur->l->e.type == AUDIT_KERNEL           ||
+				    cur->l->e.type >= AUDIT_FIRST_ANOM_MSG     ) {
 				// If known to be 1 record event, we are done
 				cur->status = L_COMPLETE;
 				ready++;
-- 
1.8.3.1

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2020-06-16 12:06 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-16 12:05 [PATCH ghau86] allow LOGIN event record to be grouped with its SYSCALL record Richard Guy Briggs

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.