Bug 1382397
| Summary: | write_logs option is not correctly handled | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ondrej Moriš <omoris> | |
| Component: | audit | Assignee: | Steve Grubb <sgrubb> | |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> | |
| Severity: | high | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.3 | CC: | aperotti, dbodnarc, mgrepl, mmatsuya, omoris, rahranja | |
| Target Milestone: | rc | Keywords: | Regression, ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| URL: | https://fedorahosted.org/audit/changeset/1399 | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1415724 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 20:53:38 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1415724 | |||
Fixed in upstream commit 1399. If this gets fixed on z-stream, we also want commit 1421. The file audit-2.7-write-log.patch has been applied to the srpm. Successfully reproduced and verified. OLD (audit-2.6.5-3.el7) ======================= :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: log_format = NOLOG :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'sed -i 's/^log_format.*/log_format = NOLOG/' /etc/audit/auditd.conf' (Expected 0, got 0) :: [ FAIL ] :: Command 'service auditd start && sleep 5' (Expected 0, got 1) :: [ FAIL ] :: Command 'service auditd status' (Expected 0, got 3) :: [ PASS ] :: Command 'auditctl -D' (Expected 0, got 0) :: [ PASS ] :: Command 'auditctl -a always,exit -W /tmp/tmp.WZcb8r1jmf -k NOLOG' (Expected 0, got 0) :: [ PASS ] :: Command 'cat /tmp/tmp.WZcb8r1jmf' (Expected 0, got 0) :: [ PASS ] :: Command 'ausearch -ts 06:45:47 -m SYSCALL -k NOLOG --raw' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -D' (Expected 0, got 0) :: [ PASS ] :: Command 'service auditd stop && sleep 5' (Expected 0, got 0) :: [ LOG ] :: Duration: 5s :: [ LOG ] :: Assertions: 7 good, 2 bad :: [ FAIL ] :: RESULT: log_format = NOLOG NEW (audit-2.7.6-1.el7) ======================= :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: log_format = NOLOG :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'sed -i 's/^log_format.*/log_format = NOLOG/' /etc/audit/auditd.conf' (Expected 0, got 0) :: [ PASS ] :: Command 'service auditd start && sleep 5' (Expected 0, got 0) :: [ PASS ] :: Command 'service auditd status' (Expected 0, got 0) :: [ PASS ] :: Command 'auditctl -D' (Expected 0, got 0) :: [ PASS ] :: Command 'auditctl -a always,exit -W /tmp/tmp.dsa2Na7XDn -k NOLOG' (Expected 0, got 0) :: [ PASS ] :: Command 'cat /tmp/tmp.dsa2Na7XDn' (Expected 0, got 0) :: [ PASS ] :: Command 'ausearch -ts 06:45:35 -m SYSCALL -k NOLOG --raw' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -D' (Expected 0, got 0) :: [ PASS ] :: Command 'service auditd stop && sleep 5' (Expected 0, got 0) :: [ LOG ] :: Duration: 11s :: [ LOG ] :: Assertions: 9 good, 0 bad :: [ PASS ] :: RESULT: log_format = NOLOG More details can be found in CR##15626918. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2008 |
Description of problem: According to man page AUDITD.CONF(5): write_logs This yes/no keyword determines whether or not to write logs to the disk. Normally you want this so the default is yes. log_format The log format describes how the information should be stored on disk... The NOLOG option is now deprecated. If you were setting this format, now you should set the write_logs option to no. I would assume that NOLOG <=> "do not write anything to audit log" and since write_logs = no <=> log_format = NOLOG (deprecated), I expect that I cannot see audit event in the log. But this is not the case. Version-Release number of selected component (if applicable): audit-2.6.5-3.el7 How reproducible: 100% Steps to Reproduce: 1. Configure auditd not to write logs to disk (write_logs = no). 2. Restart the service. 3. Log something (eg. auditctl -m "TEST"). 4. See /var/log/audit/audit.log. Actual results: # grep write_logs /etc/audit/auditd.conf write_logs = no # service auditd restart Stopping logging: [ OK ] Redirecting start to /bin/systemctl start auditd.service # date Thu Oct 6 10:37:22 EDT 2016 # auditctl -m "TEST" # ausearch -ts 10:37:22 -m USER ---- time->Thu Oct 6 10:37:33 2016 type=USER msg=audit(1475764653.692:288): pid=14663 uid=0 auid=0 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='TEST exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/0 res=success' # grep TEST /var/log/audit/audit.log type=USER msg=audit(1475764653.692:288): pid=14663 uid=0 auid=0 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='TEST exe="/usr/sbin/auditctl" hostname=? addr=? terminal=pts/0 res=success' Expected results: Actually I am not sure, does auditd have some internal cache/buffer for events searched by ausearch? Or should auditd just ignore or throw away the events? Additional info: From what I see in the code [1] only events of type AUDIT_DAEMON_RECONFIG and AUDIT_DAEMON_ROTATE are respecting the write_log option. [1] https://github.com/linux-audit/audit-userspace/blob/3f2668e10b32547d9d2b40879bc06a88e41cf206/src/auditd-event.c#L484