Bug 1334772

Summary: ausearch results depend on order of parameters
Product: [Fedora] Fedora Reporter: Ondrej Moriš <omoris>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact:
Priority: medium    
Version: 23CC: mvadkert, sgrubb
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: audit-2.6-3.fc24 audit-2.6.2-1.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-03 12:22:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1281852    

Description Ondrej Moriš 2016-05-10 13:55:48 UTC 
Description of problem:

Different ordering of parameters (-m and -ts) gives different results:

# TS=$(date "+%x %T")
# auditctl -m "TEST"

# ausearch -ts $TS -m USER
----
time->Tue May 10 15:51:49 2016
type=USER msg=audit(1462888309.211:4946): pid=18323 uid=0 auid=1000 ses=16 subj=staff_u:lspp_test_r:auditctl_t:s0-s15:c0.c1023 msg='TEST exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/5 res=success'

# ausearch -m USER -ts $TS
<no matches>

# ausearch -ts $TS -m USER
----
time->Tue May 10 15:51:49 2016
type=USER msg=audit(1462888309.211:4946): pid=18323 uid=0 auid=1000 ses=16 subj=staff_u:lspp_test_r:auditctl_t:s0-s15:c0.c1023 msg='TEST exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/5 res=success'

# ausearch -ts $TS
----
time->Tue May 10 15:51:49 2016
type=USER msg=audit(1462888309.211:4946): pid=18323 uid=0 auid=1000 ses=16 subj=staff_u:lspp_test_r:auditctl_t:s0-s15:c0.c1023 msg='TEST exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/5 res=success'

Version-Release number of selected component (if applicable):

audit-2.5.1-1.fc23

How reproducible:

100%

Steps to Reproduce:

1. TS=$(date "+%x %T")
2. auditctl -m "TEST"
3. ausearch -m USER -ts $TS
4. ausearch -ts $TS -m USER

Actual results:

No event in (3) and a single event in (4).

Expected results:

The same single event in (3) and (4).

Additional info:

This is a regression from 2.4.5-1.fc23.
Comment 1 Steve Grubb 2016-05-10 14:19:21 UTC 
Something is definitely wrong. Its acting like a DST bug even though it shouldn't. If the time parameter has an hour subtracted from it, it finds the event.
Comment 2 Steve Grubb 2016-06-08 00:25:22 UTC 
Amazingly the same source code works fine on RHEL 7.
Comment 3 Steve Grubb 2016-06-08 02:58:01 UTC 
This program shows a behavior difference between Fedora and RHEL. Should this be a bug on its own? Not sure if this is THE bug, but its A bug.


#define _XOPEN_SOURCE
#include <stdio.h>
#include <time.h>
#include <string.h>
#include <locale.h>

time_t start_time = 0;

void init_time(const char *da, const char *ti)
{
        struct tm d;
        strptime(da, "%x", &d);
        strptime(ti, "%X", &d);
        start_time = mktime(&d);
}

int main(void)
{
        setlocale (LC_ALL, "en_US.utf8");

        init_time("06/07/2016", "17:00:00");
        printf("Time is: %s\n", ctime(&start_time));

        return 0;
}
Comment 4 Steve Grubb 2016-06-08 13:59:57 UTC 
I filed rhbz #1344014 for the mktime issue above.
Comment 5 Steve Grubb 2016-06-08 16:49:01 UTC 
Fixed in upstream commit #1255. Thsi fix will be in audit-2.5.3 when released.
Comment 6 Fedora Update System 2016-06-22 22:11:14 UTC 
audit-2.6-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-4f6589e252
Comment 7 Fedora Update System 2016-06-22 22:11:27 UTC 
audit-2.6-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-122f332493
Comment 8 Fedora Update System 2016-06-23 18:56:47 UTC 
audit-2.6-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-122f332493
Comment 9 Fedora Update System 2016-06-23 19:25:58 UTC 
audit-2.6-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4f6589e252
Comment 10 Fedora Update System 2016-06-24 18:53:04 UTC 
audit-2.6-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-06-29 02:03:28 UTC 
audit-2.6.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-20e8af4a21
Comment 12 Fedora Update System 2016-06-29 18:26:35 UTC 
audit-2.6.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-20e8af4a21
Comment 13 Fedora Update System 2016-07-01 16:20:40 UTC 
audit-2.6.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-bf659f2cf3
Comment 14 Fedora Update System 2016-07-01 16:21:00 UTC 
audit-2.6.2-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-afa82d90dd
Comment 15 Fedora Update System 2016-07-02 20:29:15 UTC 
audit-2.6.2-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-afa82d90dd
Comment 16 Fedora Update System 2016-07-02 20:54:09 UTC 
audit-2.6.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-bf659f2cf3
Comment 17 Fedora Update System 2016-07-03 12:22:34 UTC 
audit-2.6.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.