Bug 1241634

Summary: LOG_AUTH/LOG_AUTHPRIV should be supported facilities in audispd syslog plugin
Product: Red Hat Enterprise Linux 7 Reporter: Christopher Cashell <topher-redhat>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: lmiksik, omoris, pmoore, pvrabec, sgrubb, topher-redhat
Target Milestone: rcKeywords: FutureFeature
Target Release: 7.3   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: audit-2.6.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 06:12:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christopher Cashell 2015-07-09 16:28:05 UTC 
Description of problem:

The audispd syslog plugin should accept LOG_AUTH and LOG_AUTHPRIV as available facilities for logging.  auditd is often used for logging "auth" related activity, and the AUTH or AUTHPRIV facilities are the logical location facility they should be logged to.

Version-Release number of selected component (if applicable):

all

How reproducible:

always

Steps to Reproduce:

1. Edit /etc/audisp/plugins.d/syslog.conf to include the "args" option of LOG_AUTH or LOG_AUTHPRIV
2. Restart auditd/audispd

Actual results:

An error saying that LOG_AUTH or LOG_AUTHPRIV are unknown facilities.

Expected results:

No error is seen, and logs are sent to syslog with the LOG_AUTH or LOG_AUTHPRIV facility.

Additional info:

Fix is simply adding the entries to audispd-builtins.c:

--- orig/audit-2.4.2/audisp/audispd-builtins.c  2015-04-28 15:03:04.000000000 -0500
+++ audit-2.4.2/audisp/audispd-builtins.c       2015-07-07 10:43:38.000000000 -0500
@@ -302,6 +302,10 @@
                                facility = LOG_LOCAL6;
                        else if (strcasecmp(conf->args[i], "LOG_LOCAL7") == 0)
                                facility = LOG_LOCAL7;
+                       else if (strcasecmp(conf->args[i], "LOG_AUTH") == 0)
+                               facility = LOG_AUTH;
+                       else if (strcasecmp(conf->args[i], "LOG_AUTHPRIV") == 0)
+                               facility = LOG_AUTHPRIV;
                        else {
                                syslog(LOG_ERR,
                                        "Unknown log priority/facility %s",
Comment 2 Steve Grubb 2015-10-13 15:45:21 UTC 
I think the merits of this request should have been discussed on the linux-audit mail list to see if anyone else has an opinion.
Comment 3 Christopher Cashell 2015-10-13 22:54:13 UTC 
(In reply to Steve Grubb from comment #2)
> I think the merits of this request should have been discussed on the
> linux-audit mail list to see if anyone else has an opinion.

I wasn't trying to bypass anyone else's opinions.  When I submitted this, I wasn't sure how or where to suggest this.

I was setting up audit logging, realized that it wasn't accepting the facilities I expected, so I grabbed the source, patched mine to do what I needed, and threw this bug report up here with my (trivial) patch for it.

If there is a mailing list where this can or should be discussed for possible inclusion, I'd be happy to send it there.  I've installed my patched package on a bunch of internal servers to fit with our audit logging requirements, but I'd love to not have to maintain it.

To confirm, linux-audit is where you would like it sent?
Comment 4 Steve Grubb 2015-10-14 00:45:51 UTC 
Yes, that is the mail list. But ask it as a question if other people would like to have this capability. Thanks! If you are not subscribed, I can allow the post through without you needing to subscribe.
Comment 7 Steve Grubb 2016-06-03 20:54:02 UTC 
This landed in the 2.5 release upstream. At this point its not likely to go into RHEL6. It will be in the next RHEL7 update. Moving this bz to RHEL7 for QE testing.
Comment 10 Ondrej Moriš 2016-07-07 15:23:26 UTC 
Both LOG_AUTH and LOG_AUTHPRIV facilities are working but there is a minor issue remaining in the config file - none of the new facilities is mentioned there:

# cat /etc/audisp/plugins.d/syslog.conf
# This file controls the configuration of the syslog plugin.
# It simply takes events and writes them to syslog. The
# arguments provided can be the default priority that you
# want the events written with. And optionally, you can give
# a second argument indicating the facility that you want events
# logged to. Valid options are LOG_LOCAL0 through 7.
Comment 11 Steve Grubb 2016-07-07 15:36:41 UTC 
Fix in upstream commit 1329.
Comment 12 Ondrej Moriš 2016-07-08 12:23:03 UTC 
Thanks Steve. 

Bug is now successfully reproduced and verified (TJ#1395546). Facilities LOG_USER, LOG_SYSLOG_ LOG_AUTH and LOG_AUTHPRIV are now supported by the plug-in. The only issues found is mentioned in Comment #10 and already resolved in upstream (Comment #11). In case of future respin in 7.3 errata, it would be good to include that commit.
Comment 14 errata-xmlrpc 2016-11-04 06:12:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2418.html