On Tuesday, June 17, 2014 11:26:01 AM Eric Paris wrote:
> On Tue, 17 Jun 2014 10:56:24 -0400
>
> Steve Grubb wrote:
> > On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote:
> > > On Tue, 17 Jun 2014 16:09:32 +0200
> > >
> > > 2) Userspace silently throws records which are 'malformed' away,
>
On Tue, 17 Jun 2014 10:56:24 -0400
Steve Grubb wrote:
> On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote:
> > On Tue, 17 Jun 2014 16:09:32 +0200
> > 2) Userspace silently throws records which are 'malformed' away,
> > instead of just printing them...
> >
> > ausearch -m LOGIN should be ab
On 14/06/17, Steve Grubb wrote:
> On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote:
> > On Tue, 17 Jun 2014 16:09:32 +0200
> >
> > Laurent Bigonville wrote:
> > > Le Tue, 17 Jun 2014 09:29:21 -0400,
> > >
> > > Steve Grubb a écrit :
> > > > On Monday, June 16, 2014 05:20:10 PM Eric Paris
On 14/06/17, Eric Paris wrote:
> On Tue, 17 Jun 2014 16:09:32 +0200
> Laurent Bigonville wrote:
> > Le Tue, 17 Jun 2014 09:29:21 -0400,
> > Steve Grubb a écrit :
> >
> > > On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
> > [...]
> > > > I'd call this a pretty clear userspace bug where it
On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote:
> On Tue, 17 Jun 2014 16:09:32 +0200
>
> Laurent Bigonville wrote:
> > Le Tue, 17 Jun 2014 09:29:21 -0400,
> >
> > Steve Grubb a écrit :
> > > On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
> > [...]
> >
> > > > I'd call this a pr
On Tuesday, June 17, 2014 10:55:42 AM Richard Guy Briggs wrote:
> > This feel like 2 clear bugs.
> >
> > 1) The kernel records for LOGIN are 'malformed' in 3.14.
>
> Yes. That's why it got fixed for 3.15.
>
> 5ee9a75 audit: fix dangling keywords in audit_log_set_loginuid() output
> introd
On Tue, 17 Jun 2014 16:09:32 +0200
Laurent Bigonville wrote:
> Le Tue, 17 Jun 2014 09:29:21 -0400,
> Steve Grubb a écrit :
>
> > On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
> [...]
> > > I'd call this a pretty clear userspace bug where it just
> > > completely drops records, even if
Le Tue, 17 Jun 2014 09:29:21 -0400,
Steve Grubb a écrit :
> On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
[...]
> > I'd call this a pretty clear userspace bug where it just completely
> > drops records, even if it can't parse them...
>
> That theory can be tested by using:
>
> ausearch
On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
> My guess is that userspace just throws away record where it doesn't find
> the auid= and ses= and you kernel happens to live in those couple of
> months were it had "new-ses" and "new-auid"
Was this patch sent to stable? The audit code tries
On Mon, 2014-06-16 at 17:24 -0400, Eric Paris wrote:
> On Mon, 2014-06-16 at 17:20 -0400, Eric Paris wrote:
>
> > I'd call this a pretty clear userspace bug where it just completely
> > drops records, even if it can't parse them...
>
> Definitely a userspace bug...
>
> [root@localhost eparis]# a
On Mon, 2014-06-16 at 17:20 -0400, Eric Paris wrote:
> I'd call this a pretty clear userspace bug where it just completely
> drops records, even if it can't parse them...
Definitely a userspace bug...
[root@localhost eparis]# ausearch -m login
[root@localhost eparis]# cat /var/log/audit/audit.
On Sat, 2014-06-14 at 13:53 +0200, Laurent Bigonville wrote:
> Le Thu, 5 Jun 2014 19:34:04 +0200,
> Laurent Bigonville a écrit :
>
> > Le Wed, 04 Jun 2014 19:04:52 -0400,
> > Steve Grubb a écrit :
> [...]
> > > You are missing a type=LOGIN event right here. If you do a "cat
> > > /proc/self/log
Le Thu, 5 Jun 2014 19:34:04 +0200,
Laurent Bigonville a écrit :
> Le Wed, 04 Jun 2014 19:04:52 -0400,
> Steve Grubb a écrit :
[...]
> > You are missing a type=LOGIN event right here. If you do a "cat
> > /proc/self/loginuid" and its set to something besides -1, we have a
> > kernel bug.
> >
>
Le Wed, 04 Jun 2014 19:04:52 -0400,
Steve Grubb a écrit :
> On Thursday, June 05, 2014 12:42:39 AM Laurent Bigonville wrote:
> > Le Wed, 04 Jun 2014 18:23:29 -0400,
> >
> > Steve Grubb a écrit :
> > > On Thursday, June 05, 2014 12:04:05 AM Laurent Bigonville wrote:
> > > > On my machine with au
On Thursday, June 05, 2014 12:42:39 AM Laurent Bigonville wrote:
> Le Wed, 04 Jun 2014 18:23:29 -0400,
>
> Steve Grubb a écrit :
> > On Thursday, June 05, 2014 12:04:05 AM Laurent Bigonville wrote:
> > > On my machine with audit 2.3.6 the following call to aulast is only
> > > displaying the "reb
Le Wed, 04 Jun 2014 18:23:29 -0400,
Steve Grubb a écrit :
> On Thursday, June 05, 2014 12:04:05 AM Laurent Bigonville wrote:
> > On my machine with audit 2.3.6 the following call to aulast is only
> > displaying the "reboot" pseudo-users and not the actual logins:
> >
> > ausearch --start this-m
On Thursday, June 05, 2014 12:04:05 AM Laurent Bigonville wrote:
> On my machine with audit 2.3.6 the following call to aulast is only
> displaying the "reboot" pseudo-users and not the actual logins:
>
> ausearch --start this-month --raw | aulast --stdin
>
> Passing the "--bad" option to aulast,
Hello,
On my machine with audit 2.3.6 the following call to aulast is only
displaying the "reboot" pseudo-users and not the actual logins:
ausearch --start this-month --raw | aulast --stdin
Passing the "--bad" option to aulast, seems to correctly return the
failed login attempt.
Also, adding th
18 matches
Mail list logo
