Bug 1296204

Summary: RFE: Rebase audit package
Product: Red Hat Enterprise Linux 7 Reporter: Steve Grubb <sgrubb>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.2CC: bressers, ksrot, lmiksik, mjahoda, mmalik, omoris, plautrba, rsawhill, sgrubb, stormi
Target Milestone: rcKeywords: FutureFeature, Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: audit-2.6.5-3.el7 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_audit_ rebased to version 2.6.5 The _audit_ packages contain the user space utilities for storing and searching the audit records which have been generated by the audit subsystem in the Linux kernel. The _audit_ packages have been upgraded to upstream version 2.6.5, which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following: * The *audit* daemon now includes a new flush technique called `incremental_async`, which improves its performance approximately 90 times. * The *audit* system now has many more rules that can be composed into an *audit* policy. Some of these new rules include support for the Security Technical Implementation Guide (STIG), PCI Data Security Standard, and other capabilities such as auditing the occurrence of 32-bit syscalls, significant power usage, or module loading. * The `auditd.conf` configuration file and the "auditctl" command now support many new options. * The *audit* system now supports a new log format called `enriched`, which resolves UID, GID, syscall, architecture, and network addresses. This will aid in log analysis on a machine that differs from where the log was generated.
 Story Points: ---
Clone Of:
: 1350425 (view as bug list) Environment:
Last Closed: 2016-11-04 06:13:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1296594, 1313485    

Description Steve Grubb 2016-01-06 15:24:45 UTC 
Description of problem:
The audit package needs to be rebased in order to fix a number of bugs and to pick up new features that users are requesting. RHEL7 currently has a 2.4.1 based package. The rebase would add:

* audit by process name
* improved audit rules
* performance improvements in auditd
* correct the interlaced records problem in auparse
* fix CVE-2015-5186 - log terminal emulator escape sequences handling
* fix linked list correctness in ausearch/report
* fix ausearch to parse FEATURE_CHANGE events
* enrich audit events as stated here: http://people.redhat.com/sgrubb/audit/event-enrichment
* correct processing of obj_gid in auditctl

There are some other bug fixes and features that are in flight and can be added to this bz later. As for which current bugs that will be covered by the rebase, I would say all of them that have a devel ack.
Comment 8 Steve Grubb 2016-06-22 20:16:37 UTC 
audit-2.6-2.el7 has been built to address this issue.
Comment 12 Steve Grubb 2016-06-23 21:16:04 UTC 
Looks like bug 1118262 is fixed by upstream commit 1284 which is not in 2.6.
Comment 16 Steve Grubb 2016-06-28 22:17:37 UTC 
For completeness, there is a format issue in audispd where protocol 1 events are missing the newline character. I'll need to do a patch.
Comment 17 Ondrej Moriš 2016-09-14 10:47:55 UTC 
The following new major feature were tested:                                    
                                                                                
  - BZ#1241634: Allow more syslog facilities in audispd-syslog                  
  - BZ#1135565: Add audit by process name support to auditctl                   
  - BZ#1127343:                                                                 
    * Auditd support for enriched data: uid/gid, saddr splitting, arch, syscall 
    * Make all libraries and utilities support and use enriched events          
    * Fix interpretation of saddr fields when using enriched events             
  - BZ#1271669, BZ#1271669 and BZ#1281545                                       
    * Update ausearch/report buffer size for locales with large time formats    
    * Fix DST bug in ausearch/report time handling                              
    * Fix another DST bug in ausearch time conversion (#1334772)                
                                                                                
Other notable changes tested:                                                   
                                                                                
  - Have auditd do a fsync before closing log                                   
  - Make default flush setting larger                                           
  - In auditd, add incremental_async flushing mode                              
  - Updated and added audit rules                                               
  - Create audit-stop.rules to clean up audit subsystem on stop                 
  - Add optional ExecStopPost to auditd.service to clear rules on service exit  
  - Auditd fixup directory and file permissions on startup                      
                                                                                
The complete list of changes between 2.4.5 and 2.6.5 can be found in upstream.  
changelog [1].                                                                  
                                                                                
Sanity, regression testing and general errata check-list (specfile, 
integration, performance, etc.) passed audit-2.6.5-3.el7 and hence I 
consider this bug to be successfully verified.
                                                                                
[1] https://people.redhat.com/sgrubb/audit/ChangeLog
Comment 19 errata-xmlrpc 2016-11-04 06:13:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2418.html
Comment 20 Samuel Verschelde 2018-11-29 09:50:52 UTC 
CVE-2015-5186 says "will not fix" but according to this bug report it is fixed, isn't it?
Comment 21 Steve Grubb 2018-11-29 12:58:37 UTC 
I understand how that might appear to be inconsistent. If you look at the CVSS score, its only 4.3. This means that it is not severe enough to warrant an out of band security update. Instead, if there is a rebase of the package that picks up the fix, then its good for everyone but doesn't change the initial assessment.