Bug 1381601
| Summary: | audit package update | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Steve Grubb <sgrubb> | |
| Component: | audit | Assignee: | Steve Grubb <sgrubb> | |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> | |
| Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> | |
| Priority: | medium | |||
| Version: | 7.4 | CC: | grzegorz.halat, mgrepl, omoris, pmoore, pvrabec, rsawhill, santony | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | audit-2.7.6-1.el7 | Doc Type: | Rebase: Bug Fixes and Enhancements | |
| Doc Text: |
_audit_ rebased to version 2.7.6
The _audit_ packages have been updated to upstream version 2.7.6, which provides a number of enhancements, new features, and bug fixes, including:
* The *auditd* service now automatically adjusts logging directory permissions when it starts up. This helps keep directory permissions correct after performing a package upgrade.
* The *ausearch* utility has a new "--format" output option. The "--format text" option presents an event as an English sentence describing what is happening. The "--format csv" option normalizes logs into a subject, object, action, results, and how it occurred in addition to some metadata fields which is output in the Comma Separated Value (CSV) format. This is suitable for pushing event information into a database, spreadsheet, or other analytic programs to view, chart, or analyze audit events.
* The *auditctl* utility can now reset the lost event counter in the kernel through the "--reset-lost" command-line option. This makes checking for lost events easier since you can reset the value to zero daily.
* *ausearch* and *aureport* now have a "boot" option for the "--start" command-line option to find events since the system booted.
* *ausearch* and *aureport* provide a new "--escape" command-line option to better control what kind of escaping is done to audit fields. It currently supports `raw`, `tty`, `shell`, and `shell_quote` escaping.
* *auditctl* no longer allows rules with the entry filter. This filter has not been supported since Red Hat Enterprise Linux 5. Prior to this release, on Red Hat Enterprise Linux 6 and 7, *auditctl* moved any entry rule to the exit filter and displayed a warning that the entry filter is deprecated.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1428393 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 20:53:38 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1399823 | |||
| Bug Blocks: | 1377248 | |||
|
Description
Steve Grubb
2016-10-04 14:06:15 UTC
I just checked multikey support added in 2.6.6. It looks like either I am misunderstanding details of this new feature or there are some issues:
1. ausearch output
==================
Single key, in raw mode, ausearch outputs key as key="singlekey1" while
in interpreting mode it is key=singlekey1. Multiple keys, in raw mode
it is key=6D756C74696B657933016D756C74696B657934 while in interpreting
mode it is key=multikey3 key=multikey4. It that expected?
2. ausearch key filtering
=========================
Consider the following cases:
a) # auditctl -w file1 -k singlekey1
# auditctl -w file2 -k singlekey2
# rm -f file1
# rm -f file2
This produces two events now, one keyed with singlekey1 and
another keyed with singlekey2. Ie.
# ausearch -m syscall -sc unlinkat -k singlekey1
# ausearch -m syscall -sc unlinkat -k singlekey2
produces two events with their associated records.
Issue A1
--------
# ausearch -m syscall -sc unlinkat -k singlekey
This should produce nothing because there is no such key, but it
does, it outputs events associated with either singlekey1 or
singlekey2.
Issue A2
--------
# ausearch -m syscall -sc unlinkat -k singlekey1 -k singlekey2
IMHO more key parameters in ausearch should mean either "AND" or
"OR" (and it should better be explicitly stated in man page).
Hence I would expected either two events or none. But it outputs
only events associated with singlekey1.
b) # auditctl -w file1 -k multikey1 -k multikey2
# auditctl -w file2 -k multikey2 -k multikey3
# auditctl -w file3 -k multikey3 -k multikey4
# rm -f file1
# rm -f file2
# rm -f file2
Again, three sets of events are produced, each of them with two
keys.
Issue B1
--------
# ausearch -m syscall -sc unlinkat -k multikey1 -k multikey2
Again, if multiple -k means AND, command should produce single
events with multikey key=multikey1 key=multikey2. If -k means OR,
command should produce two events. And it does. Therefore it
looks like it works as OR. But then...
# ausearch -m syscall -sc unlinkat -k multikey3 -k multikey4
Outputs only one event which indicates that multiple -k works like
AND and not OR.
Issue B2
--------
# ausearch -m syscall -sc unlinkat -k multikey2 -k multikey3
This should produce either one or three events - first with "key=multikey1
key=multikey2", second wit "key=multikey2 key=multikey3" and the
last with "key=multikey3 key=multikey4". But it actually outputs two events
- second and third.
Issue B3
--------
# ausearch -m syscall -sc unlinkat -k multikey
Similarly to (A2) I would expect no events but there are three of them.
Item 1, yes that is expected. You can check the original design with audit-2.3.3 which was the RHEL 7 GA package. This bug is about restoring the old behavior broken during the TTY escaping work. Issue A1, keys match on partial names just like file names. You can pass --word to match the whole word. Issue A2, we can only search on 1 key. The last key typed in wins. Issue B is related to the above. You cannot specify multiple keys to ausearch just like you cannot specify multiple files. The last item is related to partial matching. Add -w to make it a whole word match. I checked the ausearch man page for the -w option and see that keys is missing. I pushed an update to github to clarify that. audit-2.7.4-1.el7 was built to resolve this issue. Updated version numbers. Another bz mandated a respin to a newer version that fixed the problem. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2008 |