ausearch discrepancies?

ausearch discrepancies?

[LC Bruzenak]

F10, audit-1.7.12

[root@slim ~]# ausearch -i -ts yesterday -te yesterday | grep "node=" |
tail
...

node=slim type=PATH msg=audit(06/03/2009 19:11:29.348:2884) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0 
node=slim type=CWD msg=audit(06/03/2009 19:11:29.348:2884) :
cwd=/home/lcb 
node=slim type=SYSCALL msg=audit(06/03/2009 19:11:29.348:2884) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=2bb999c a1=2bb999c a2=0
a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
subj=user_u:user_r:user_t:s0 key=delete 

The results end with the above record.

Then:
[root@slim ~]# ausearch -i -ts yesterday  | grep "node=" | less
...
node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=
542803 dev=fd:00 mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0 
node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
cwd=/home/lcb 
node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=
36763bc a2=0 a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb
gid=lcb euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lc
b fsgid=lcb tty=(none) ses=1 comm=firefox
exe=/usr/lib64/firefox-3.0.10/firefox subj=user_u:user_r:user_t:s0
key=delete 
node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acb
b60 a1=5 a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset
uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=n
tp fsgid=ntp tty=(none) ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-ch
ange 
node=slim type=USER_ACCT msg=audit(06/04/2009 00:01:01.716:3013) : user
pid=14269 uid=root auid=unset ses=4294967295 subj=sys
tem_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:accounting acct=root
exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cro
n res=success)' 

This shows plenty of events after the 19:11 event shown.
Any ideas?

# date
Thu Jun  4 19:29:10 CDT 2009

Reading the manpage is a little confusing on the -ts and -te meanings.
I'm not sure I agree with the way it is stated, regardless the behavior
above appears wrong ... but this appears to work correctly:

ausearch -ts 06/03/2009 00:00:00 -te 06/03/2009 23:59:59 -i | grep
"node=" | tail
...
node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0 
node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
cwd=/home/lcb 
node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=36763bc a2=0
a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
subj=user_u:user_r:user_t:s0 key=delete 
node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acbb60 a1=5
a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset uid=ntp gid=ntp
euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none)
ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-change 



Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: ausearch discrepancies?

[Joshua Roys]

On 06/04/2009 08:37 PM, LC Bruzenak wrote:
> F10, audit-1.7.12
>
> [root@slim ~]# ausearch -i -ts yesterday -te yesterday | grep "node=" |
> tail
> ...
>
> node=slim type=PATH msg=audit(06/03/2009 19:11:29.348:2884) : item=0
> name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
> mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
> obj=system_u:object_r:mozilla_home_t:s0
> node=slim type=CWD msg=audit(06/03/2009 19:11:29.348:2884) :
> cwd=/home/lcb
> node=slim type=SYSCALL msg=audit(06/03/2009 19:11:29.348:2884) :
> arch=x86_64 syscall=unlink success=yes exit=0 a0=2bb999c a1=2bb999c a2=0
> a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
> euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
> comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
> subj=user_u:user_r:user_t:s0 key=delete
>
> The results end with the above record.
>
> Then:
> [root@slim ~]# ausearch -i -ts yesterday  | grep "node=" | less
> ...
> node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
> name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=
> 542803 dev=fd:00 mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
> obj=system_u:object_r:mozilla_home_t:s0
> node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
> cwd=/home/lcb
> node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
> arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=
> 36763bc a2=0 a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb
> gid=lcb euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lc
> b fsgid=lcb tty=(none) ses=1 comm=firefox
> exe=/usr/lib64/firefox-3.0.10/firefox subj=user_u:user_r:user_t:s0
> key=delete
> node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
> arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acb
> b60 a1=5 a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset
> uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=n
> tp fsgid=ntp tty=(none) ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
> subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-ch
> ange
> node=slim type=USER_ACCT msg=audit(06/04/2009 00:01:01.716:3013) : user
> pid=14269 uid=root auid=unset ses=4294967295 subj=sys
> tem_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:accounting acct=root
> exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cro
> n res=success)'
>
> This shows plenty of events after the 19:11 event shown.
> Any ideas?
>
> # date
> Thu Jun  4 19:29:10 CDT 2009
>
> Reading the manpage is a little confusing on the -ts and -te meanings.
> I'm not sure I agree with the way it is stated, regardless the behavior
> above appears wrong ... but this appears to work correctly:
>
> ausearch -ts 06/03/2009 00:00:00 -te 06/03/2009 23:59:59 -i | grep
> "node=" | tail
> ...
> node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
> name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
> mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
> obj=system_u:object_r:mozilla_home_t:s0
> node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
> cwd=/home/lcb
> node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
> arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=36763bc a2=0
> a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
> euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
> comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
> subj=user_u:user_r:user_t:s0 key=delete
> node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
> arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acbb60 a1=5
> a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset uid=ntp gid=ntp
> euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none)
> ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
> subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-change
>
>
>
> Thx,
> LCB.
>

Yep, the man page says that if you don't specify the time (and by time, 
it means the hh:mm:ss part of the date-time) it chooses now.

        -te, --end [end-date] [end-time]
               Search  for  events  with  time stamps equal to or before 
the given end time. The format of end time depends on your locale. If 
the date is omitted,
               today is assumed. *If the time is omitted, now is 
assumed.* Use 24 hour clock time rather  than  AM  or  PM  to  specify 
time.  An  example  date  is
               10/24/2005. An example of time is 18:00:00.

Joshua Roys

Re: ausearch discrepancies?

[LC Bruzenak]

On Fri, 2009-06-05 at 07:53 -0400, Joshua Roys wrote:
> On 06/04/2009 08:37 PM, LC Bruzenak wrote:
> 
> Yep, the man page says that if you don't specify the time (and by time, 
> it means the hh:mm:ss part of the date-time) it chooses now.
> 
>         -te, --end [end-date] [end-time]
>                Search  for  events  with  time stamps equal to or before 
> the given end time. The format of end time depends on your locale. If 
> the date is omitted,
>                today is assumed. *If the time is omitted, now is 
> assumed.* Use 24 hour clock time rather  than  AM  or  PM  to  specify 
> time.  An  example  date  is
>                10/24/2005. An example of time is 18:00:00.
> 
> Joshua Roys

OH! I wondered why the last event for yesterday seemed strangely close
to today's time. It didn't occur to me that today's time would matter on
a date in the past.
Thank you! I appreciate the clarification.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: ausearch discrepancies?

[Steve Grubb]

On Thursday 04 June 2009 08:37:17 pm LC Bruzenak wrote:
> This shows plenty of events after the 19:11 event shown.
> Any ideas?

Looks like a problem. FYI, using aureport shows the exact time range selected 
for the search. (Aureport and ausearch share the same time code.)

-Steve

Re: ausearch discrepancies?

[LC Bruzenak]

On Fri, 2009-06-05 at 11:32 -0400, Steve Grubb wrote:
> On Thursday 04 June 2009 08:37:17 pm LC Bruzenak wrote:
> > This shows plenty of events after the 19:11 event shown.
> > Any ideas?
> 
> Looks like a problem. FYI, using aureport shows the exact time range selected 
> for the search. (Aureport and ausearch share the same time code.)
> 
> -Steve

Seems like it is operating true to the man page (earlier email).
No?
I do not agree with the behavior...but agree it is consistent.

Here is my aureport data:

[root@audit audit]# date ;  aureport -ts yesterday -te yesterday -i 
Fri Jun  5 10:38:02 CDT 2009

Summary Report
======================
Range of time in logs: 06/04/2009 00:01:01.595 - 12/31/1969 18:00:00.000
Selected time for report: 06/04/2009 00:00:00 - 06/04/2009 10:38:02
...

But that also has possible issues (something might be wrong with the
range):
[root@audit audit]# ausearch -i -ts 12/31/1969 18:00:00.000 --just-one
Error - year is 1969

[root@audit audit]# ausearch -i | head
----
node=jcdx146 type=PATH msg=audit(06/02/2009 22:21:04.582:3374)

LCB.
 
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: ausearch discrepancies?

[Steve Grubb]

On Friday 05 June 2009 11:42:18 am LC Bruzenak wrote:
> On Fri, 2009-06-05 at 11:32 -0400, Steve Grubb wrote:
> > On Thursday 04 June 2009 08:37:17 pm LC Bruzenak wrote:
> > > This shows plenty of events after the 19:11 event shown.
> > > Any ideas?
> >
> > Looks like a problem. FYI, using aureport shows the exact time range
> > selected for the search. (Aureport and ausearch share the same time
> > code.)
>
> Seems like it is operating true to the man page (earlier email).
> No?
> I do not agree with the behavior...but agree it is consisten

Well, I don't think assuming a time of now is the right thing to do for 
keywords that mean something in the past. It should be midnight for an ending 
time.

-Steve