On Tue, 17 Jun 2014 16:09:32 +0200 Laurent Bigonville <[email protected]> wrote:
> Le Tue, 17 Jun 2014 09:29:21 -0400, > Steve Grubb <[email protected]> a écrit : > > > On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote: > [...] > > > I'd call this a pretty clear userspace bug where it just > > > completely drops records, even if it can't parse them... > > > > That theory can be tested by using: > > > > ausearch --start this-week --debug > /dev/null > > > > Anything that gets tossed out will be reported to stderr. > > I'm getting indeed quite a lot of skipped event: > > Malformed event skipped, rc=7. type=LOGIN > msg=audit(1402934401.462:1626): pid=1719 uid=0 old-auid=4294967295 > new-auid=0 old-ses=4294967295 new-ses=121 res=1 This feel like 2 clear bugs. 1) The kernel records for LOGIN are 'malformed' in 3.14. 2) Userspace silently throws records which are 'malformed' away, instead of just printing them... ausearch -m LOGIN should be able to display these things... -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
