audit-userspace
audit-userspace copied to clipboard
linux-audit
BUG: records from one event not grouped together
In recent testing of events for ghak90 and ghak110 it has been noticed that ausearch isn't grouping all the records of one event together even though the date/time/serial stamps are identical. It may be related to the fact that both records are in the 1000 block.
ghak90:
type=CONTAINER_OP msg=audit(2019-03-19 15:40:06.141:235) : op=set opid=698 old-contid=18446744073709551615 contid=123455 pid=698 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=test.sh exe=/usr/bin/bash res=yes
----
type=CONTAINER_ID msg=audit(2019-03-19 15:40:06.141:235) : contid=123455
type=PROCTITLE msg=audit(2019-03-19 15:40:06.141:235) : proctitle=/bin/sh ./test.sh
type=SYSCALL msg=audit(2019-03-19 15:40:06.141:235) : arch=x86_64 syscall=write success=yes exit=7 a0=0x1 a1=0x55e34362ceb0 a2=0x7 a3=0xa items=0 ppid=676 pid=698 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=test.sh exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
ghak110:
time->Tue Mar 19 12:23:15 2019
type=LOGIN msg=audit(1553012595.401:219): pid=647 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=ttyS0 old-ses=4294967295 ses=1 res=1
----
time->Tue Mar 19 12:23:15 2019
type=PROCTITLE msg=audit(1553012595.401:219): proctitle=2F62696E2F6C6F67696E002D70002D2D0020202020
type=SYSCALL msg=audit(1553012595.401:219): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff3fb13380 a2=1 a3=0 items=0 ppid=1 pid=647 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
----
post v1 upstream: https://www.redhat.com/archives/linux-audit/2020-June/msg00061.html
