From: Richard Guy Briggs <rgb@redhat.com>
To: Linux-Audit Mailing List <linux-audit@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, eparis@parisplace.org
Subject: [PATCH ghau86] allow LOGIN event record to be grouped with its SYSCALL record
Date: Tue, 16 Jun 2020 08:05:50 -0400 [thread overview]
Message-ID: <1592309150-11920-1-git-send-email-rgb@redhat.com> (raw)
LOGIN records were not grouped with the rest of their event, records with the
identical timestamp and serial number:
----
time->Tue Mar 19 12:23:15 2019
type=LOGIN msg=audit(1553012595.401:219): pid=647 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=ttyS0 old-ses=4294967295 ses=1 res=1
----
time->Tue Mar 19 12:23:15 2019
type=PROCTITLE msg=audit(1553012595.401:219): proctitle=2F62696E2F6C6F67696E002D70002D2D0020202020
type=SYSCALL msg=audit(1553012595.401:219): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff3fb13380 a2=1 a3=0 items=0 ppid=1 pid=647 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
----
Tidy up the list/ranges of records to be in ascending order for easier parsing
and updating by humans.
See the upstream issues
https://github.com/linux-audit/audit-userspace/issues/86
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
src/ausearch-lol.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
index e70945612f79..f0f36e04dd93 100644
--- a/src/ausearch-lol.c
+++ b/src/ausearch-lol.c
@@ -246,12 +246,14 @@ static void check_events(lol *lo, time_t sec)
if (cur->l->e.sec + 2 <= sec) {
cur->status = L_COMPLETE;
ready++;
- } else if (cur->l->e.type == AUDIT_PROCTITLE ||
- cur->l->e.type < AUDIT_FIRST_EVENT ||
- cur->l->e.type >= AUDIT_FIRST_ANOM_MSG ||
- cur->l->e.type == AUDIT_KERNEL ||
- (cur->l->e.type >= AUDIT_MAC_UNLBL_ALLOW &&
- cur->l->e.type <= AUDIT_MAC_CALIPSO_DEL)) {
+ } else if ( cur->l->e.type < AUDIT_LOGIN ||
+ (cur->l->e.type > AUDIT_LOGIN &&
+ cur->l->e.type < AUDIT_FIRST_EVENT ) ||
+ cur->l->e.type == AUDIT_PROCTITLE ||
+ (cur->l->e.type >= AUDIT_MAC_UNLBL_ALLOW &&
+ cur->l->e.type <= AUDIT_MAC_CALIPSO_DEL) ||
+ cur->l->e.type == AUDIT_KERNEL ||
+ cur->l->e.type >= AUDIT_FIRST_ANOM_MSG ) {
// If known to be 1 record event, we are done
cur->status = L_COMPLETE;
ready++;
--
1.8.3.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
reply other threads:[~2020-06-16 12:06 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1592309150-11920-1-git-send-email-rgb@redhat.com \
--to=rgb@redhat.com \
--cc=eparis@parisplace.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).