On Tuesday, June 17, 2014 10:55:42 AM Richard Guy Briggs wrote: > > This feel like 2 clear bugs. > > > > 1) The kernel records for LOGIN are 'malformed' in 3.14. > > Yes. That's why it got fixed for 3.15. > > 5ee9a75 audit: fix dangling keywords in audit_log_set_loginuid() output > introduced it between 3.13 and 3.14-rc1 > > aa589a1 audit: remove superfluous new- prefix in AUDIT_LOGIN messages > fixed it between 3.14 and 3.15-rc1 > > So it is fine in 3.15.
We need this fixed in current kernels. Its a low risk patch that fixes this problem for a lot of people. > > 2) Userspace silently throws records which are 'malformed' away, instead > > of just printing them... > > So according to Linus, we (I) violated the "thou shalt not break > userspace" golden rule with the second patch. > > But it was already broken according to Steve which is why the first > patch was submitted. > > > ausearch -m LOGIN should be able to display these things... > > Agreed. > > One lesson here? Let's get a minimum useful subset of > http://people.redhat.com/sgrubb/audit/audit-parse.txt into > linux-2.6/Documentation/ tree to try to avoid this issue in the future. I'd like to reformat that before putting it in the linux kernel. It needs to be written from a generic howto perspective and not a library design perspective. Although that document is what has guided audit event design for about 8 or 9 years. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit