Bug 1559032

Summary: Rebase audit package to 2.8.4 to pick up bug fixes
Product: Red Hat Enterprise Linux 7 Reporter: Steve Grubb <sgrubb>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: medium    
Version: 7.5CC: jkucera, kwalker, mjahoda, mthacker, omoris, sgrubb
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: audit-2.8.4-2.el7 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_audit_ rebased to 2.8.4 The _audit_ packages have been upgraded to upstream version 2.8.4, which provides a number of bug fixes and enhancements over the previous version. Notable changes include: * Added support for dumping internal state. You can now run the "service auditd state" command to see information about the *Audit* daemon. * Added support for the `SOFTWARE_UPDATE` event generated by the *rpm* and *yum* tools. * Allowed unlimited retries during a remote logging startup. This helps to start even if the aggregating server is not running when a client is booted. * Improved IPv6 remote logging.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:28:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1553233    

Description Steve Grubb 2018-03-21 14:40:22 UTC
Description of problem:
Upstream audit  has fixed a number of bugs. The changelog is not very big. Its very close to what was done for RHEL 7.5.

2.8.3
- Correct msg function name in lru debug code
- Fix a segfault in auditd when dns resolution isn't available
- Make a reload legacy service for auditd
- In auparse python bindings, expose some new types that were missing
- In normalizer, pickup subject kind for user_login events
- Fix interpretation of unknown ioctcmds (#1540507)
- Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, & RESP_ORIGIN_BLOCK_TIMED events
- In auparse_normalize for USER_LOGIN events, map acct for subj_kind
- Fix logging of IPv6 addresses in DAEMON_ACCEPT events (#1534748)
- Do not rotate auditd logs when num_logs < 2 (brozs)

2.8.2
- Update tables for 4.14 kernel
- Fixup ipv6 server side binding
- AVC report from aureport was missing result column header (#1511606)
- Add SOFTWARE_UPDATE event
- In ausearch/report pickup any path and new-disk fields as a file
- Fix value returned by auditctl --reset-lost (Richard Guy Briggs)
- In auparse, fix expr_create_timestamp_comparison_ex to be numeric field
- Fix building on old systems without linux/fanotify.h
- Fix shell portability issues reported by shellcheck
- Auditd validate_email should not use gethostbyname

Additional info:
audit-2.8.3 is in F27 & F28 right now.

Comment 1 Steve Grubb 2018-04-09 13:13:22 UTC
Also, these should be picked up in a rebase:

- Generate checkpoint file even when not results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)

Comment 5 Steve Grubb 2018-06-20 13:57:02 UTC
audit-2.8.4-1.el7 has been built to address this issue.

Comment 14 errata-xmlrpc 2018-10-30 11:28:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3237