Fix checkpoint issue regarding AUDIT_USER end of event detection#396
Merged
stevegrubb merged 1 commit intolinux-audit:masterfrom Sep 11, 2024
Merged
Fix checkpoint issue regarding AUDIT_USER end of event detection#396stevegrubb merged 1 commit intolinux-audit:masterfrom
stevegrubb merged 1 commit intolinux-audit:masterfrom
Conversation
While consolidating the end of event function to a function, in commit ccd4bdb, the behavior changed as some messages -- such as AUDIT_USER messages -- were not considered anymore. Example: 1) Before the change: ts1="$(date +%T)" touch test1.log auditctl -m test1 ausearch -ts "${ts1}" --checkpoint chk1 ---- time->Tue Sep 10 14:45:20 2024 type=USER msg=audit(1725993920.729:2968): pid=63311 uid=0 auid=0 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='text=test1 exe="/usr/sbin/auditctl" hostname=hostname-here addr=? terminal=pts/0 res=success' 2) After the change (current behavior): ts2="$(date +%T)" touch test2.log auditctl -m test2 ausearch -ts "${ts2}" --checkpoint chk2 <no matches> This commit gets the previous behavior back. Signed-off-by: Sergio Correia <scorreia@redhat.com>
sergio-correia
force-pushed
the
eoe-detection
branch
from
dcd023a to
84ba85d
Compare
sergio-correia
changed the title
Contributor
|
Thanks |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
While consolidating the end of event function to a function, in
commit ccd4bdb, the behavior changed as some messages -- such as
AUDIT_USER messages -- were not considered anymore.
Example:
This commit gets the previous behavior back.