What does "---" in audit.log timestamp / event-id field mean?

All of lore.kernel.org
 help / color / mirror / Atom feed

* What does "---" in audit.log timestamp / event-id field mean?
@ 2022-05-12  8:01 Sam Pinkus
  2022-05-17 21:41 ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: Sam Pinkus @ 2022-05-12  8:01 UTC (permalink / raw)
  To: linux-audit

[-- Attachment #1: Type: text/html, Size: 1583 bytes --]

[-- Attachment #2: Type: text/plain, Size: 107 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: What does "---" in audit.log timestamp / event-id field mean?
  2022-05-12  8:01 What does "---" in audit.log timestamp / event-id field mean? Sam Pinkus
@ 2022-05-17 21:41 ` Steve Grubb
  2022-05-18 16:25   ` Lenny Bruzenak
  0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2022-05-17 21:41 UTC (permalink / raw)
  To: linux-audit

Hello,

On Thursday, May 12, 2022 4:01:34 AM EDT Sam Pinkus wrote:
> I'm using auditd=1:2.8.4-3 on Debian. I got this event in my audit.log:
> 
> 
> ...
> type=SYSCALL msg=audit(16523210---): arch=c000003e syscall=87 success=yes
> exit=0 a0=7f867d66a3ed a1=7f867d66a3ed a2=0 a3=792f18 items=2 ppid=2275
> pid=16746 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
> egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=4C5320546872656164
> exe="/usr/lib/firefox-esr/firefox-esr" subj==unconfined key="delete"
> type=CWD msg=audit(1652321038.100:23444): cwd="/home/sam"
> type=PATH msg=audit(1652321038.100:23444): item=0
> name="/home/sam/.mozilla/firefox/baey2He4.default/" inode=15861713
> dev=fe:01 mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT
> cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH
> msg=audit(1652321038.100:23444): item=1
> name="/home/sam/.mozilla/firefox/baey2He4.default/webappsstore.sqlite-wal"
> inode=15860647 dev=fe:01 mode=0100644 ouid=1000 ogid=1000 rdev=00:00
> nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=PROCTITLE msg=audit(1652321038.100:23444):
> proctitle="/usr/lib/firefox-esr/firefox-esr"
> 
> I.e. there is an incomplete timestamp and no event ID in the first line of
> the event "16523210---".

I have never seen such a problem. Looking at both the kernel and userspace 
code, I do not see what could prossibly do this. There is no code with 
exactly 3 dashes in the audit user space or kernel.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: What does "---" in audit.log timestamp / event-id field mean?
  2022-05-17 21:41 ` Steve Grubb
@ 2022-05-18 16:25   ` Lenny Bruzenak
  2022-05-18 17:06     ` Casey Schaufler
  0 siblings, 1 reply; 4+ messages in thread
From: Lenny Bruzenak @ 2022-05-18 16:25 UTC (permalink / raw)
  To: linux-audit

On 5/17/22 16:41, Steve Grubb wrote:

> Hello,
>
> On Thursday, May 12, 2022 4:01:34 AM EDT Sam Pinkus wrote:
>> I'm using auditd=1:2.8.4-3 on Debian. I got this event in my audit.log:
>>
>>
>> ...
>> type=SYSCALL msg=audit(16523210---): arch=c000003e syscall=87 success=yes
>> exit=0 a0=7f867d66a3ed a1=7f867d66a3ed a2=0 a3=792f18 items=2 ppid=2275
>> pid=16746 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
>> egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=4C5320546872656164
>> exe="/usr/lib/firefox-esr/firefox-esr" subj==unconfined key="delete"
>> type=CWD msg=audit(1652321038.100:23444): cwd="/home/sam"
>> type=PATH msg=audit(1652321038.100:23444): item=0
>> name="/home/sam/.mozilla/firefox/baey2He4.default/" inode=15861713
>> dev=fe:01 mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT
>> cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH
>> msg=audit(1652321038.100:23444): item=1
>> name="/home/sam/.mozilla/firefox/baey2He4.default/webappsstore.sqlite-wal"
>> inode=15860647 dev=fe:01 mode=0100644 ouid=1000 ogid=1000 rdev=00:00
>> nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
>> type=PROCTITLE msg=audit(1652321038.100:23444):
>> proctitle="/usr/lib/firefox-esr/firefox-esr"
>>
>> I.e. there is an incomplete timestamp and no event ID in the first line of
>> the event "16523210---".
> I have never seen such a problem. Looking at both the kernel and userspace
> code, I do not see what could prossibly do this. There is no code with
> exactly 3 dashes in the audit user space or kernel.

I see "subj==" which I do not think is correct. Are you certain the 
event was not manipulated after the fact?

LCB

-- 
Lenny Bruzenak
MagitekLTD

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: What does "---" in audit.log timestamp / event-id field mean?
  2022-05-18 16:25   ` Lenny Bruzenak
@ 2022-05-18 17:06     ` Casey Schaufler
  0 siblings, 0 replies; 4+ messages in thread
From: Casey Schaufler @ 2022-05-18 17:06 UTC (permalink / raw)
  To: Lenny Bruzenak, linux-audit

On 5/18/2022 9:25 AM, Lenny Bruzenak wrote:
> On 5/17/22 16:41, Steve Grubb wrote:
>
>> Hello,
>>
>> On Thursday, May 12, 2022 4:01:34 AM EDT Sam Pinkus wrote:
>>> I'm using auditd=1:2.8.4-3 on Debian. I got this event in my audit.log:
>>>
>>>
>>> ...
>>> type=SYSCALL msg=audit(16523210---): arch=c000003e syscall=87 success=yes
>>> exit=0 a0=7f867d66a3ed a1=7f867d66a3ed a2=0 a3=792f18 items=2 ppid=2275
>>> pid=16746 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
>>> egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=4C5320546872656164
>>> exe="/usr/lib/firefox-esr/firefox-esr" subj==unconfined key="delete"
>>> type=CWD msg=audit(1652321038.100:23444): cwd="/home/sam"
>>> type=PATH msg=audit(1652321038.100:23444): item=0
>>> name="/home/sam/.mozilla/firefox/baey2He4.default/" inode=15861713
>>> dev=fe:01 mode=040700 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT
>>> cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH
>>> msg=audit(1652321038.100:23444): item=1
>>> name="/home/sam/.mozilla/firefox/baey2He4.default/webappsstore.sqlite-wal"
>>> inode=15860647 dev=fe:01 mode=0100644 ouid=1000 ogid=1000 rdev=00:00
>>> nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
>>> type=PROCTITLE msg=audit(1652321038.100:23444):
>>> proctitle="/usr/lib/firefox-esr/firefox-esr"
>>>
>>> I.e. there is an incomplete timestamp and no event ID in the first line of
>>> the event "16523210---".
>> I have never seen such a problem. Looking at both the kernel and userspace
>> code, I do not see what could prossibly do this. There is no code with
>> exactly 3 dashes in the audit user space or kernel.
>
> I see "subj==" which I do not think is correct.

This is normal (if not strictly desirable) for AppArmor.

> Are you certain the event was not manipulated after the fact?
>
> LCB
>

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-05-18 17:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-12  8:01 What does "---" in audit.log timestamp / event-id field mean? Sam Pinkus
2022-05-17 21:41 ` Steve Grubb
2022-05-18 16:25   ` Lenny Bruzenak
2022-05-18 17:06     ` Casey Schaufler

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.