search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

BUG: ausearch does not reliably find nodes when date is specified #83

Closed ghost closed 6 years ago

ghost commented 6 years ago

Hi folks, maybe it's just me or there's something wrong with the way I search through events, but the following command returned no matches:

[root@MasterServer audit]# ausearch -i -ts '18/05/18' -hn Client-Machine | more

However, if I search the logs for that date and grep "Client-Machine", this time I get (quite a lot of) results. [root@MasterServer audit]# ausearch -i -ts '18/05/18' | grep Client-Machine | more node=Client-Machine type=LOGIN msg=audit(18/05/18 00:00:01.364:894794) : pid=101815 uid=root subj=system_u :system_r:crond_t:s0-s0:c0.c1023 old-auid=unset auid=root tty=(none) old-ses=4294967295 ses=72579 res=yes node=Client-Machine type=PROCTITLE msg=audit(18/05/18 00:00:01.362:894792) : proctitle=/usr/sbin/unix_chkp wd root chkexpiry node=Client-Machine type=PATH msg=audit(18/05/18 00:00:01.362:894792) : item=1 name=/lib64/ld-linux-x86-64 .so.2 inode=8067 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL node=Client-Machine type=PATH msg=audit(18/05/18 00:00:01.362:894792) : item=0 name=/usr/sbin/unix_chkpwd inode=116424 dev=fd:00 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chkpwd_ex ec_t:s0 objtype=NORMAL node=Client-Machine type=EXECVE msg=audit(18/05/18 00:00:01.362:894792) : argc=3 a0=/usr/sbin/unix_chkpwd a1=root a2=chkexpiry node=Client-Machine type=SYSCALL msg=audit(18/05/18 00:00:01.362:894792) : arch=x86_64 syscall=execve succ ess=yes exit=0 a0=0x7ff7e82df3cd a1=0x7ffc385aced0 a2=0x7ff7e84e2388 a3=0x2 items=2 ppid=101815 pid=1018 16 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 key =rootcmd node=Client-Machine type=PROCTITLE msg=audit(18/05/18 00:00:01.364:894793) : proctitle=/usr/sbin/unix_chkp wd root chkexpiry node=Client-Machine type=PATH msg=audit(18/05/18 00:00:01.364:894793) : item=0 name=/etc/shadow inode=8388 687 dev=fd:00 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=NOR MAL node=Client-Machine type=SYSCALL msg=audit(18/05/18 00:00:01.364:894793) : arch=x86_64 syscall=open succes s=yes exit=3 a0=0x7fc932407453 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=1 ppid=101815 pid=101816 aui --More-- A couple of things that come to mind: 1 - Perhaps the date format I use is incorrect? The ausearch manual does not give any clear examples. 2 - The node I am targeting has an hyphenated name, "Client-Machine"..perhaps that is a misleading name for a node? Thanks,
rgbriggs commented 6 years ago

At a quick glance, this appears to be a linux-audit userspace bug and should be filed at:

https://github.com/linux-audit/audit-userspace/issues/new
pcmoore commented 6 years ago

Unfortunately I don't see a way to move GH issues across repos, so I'll create a pointer over there and close this issue ...

Heads up @stevegrubb.

pcmoore commented 6 years ago

Closing, please use https://github.com/linux-audit/audit-userspace/issues/50.