Bug 1399314

Summary: [RFE] Allow non-equality comparisons for uid and gid fields
Product: Red Hat Enterprise Linux 7 Reporter: emahoney
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: cww, mthacker, omoris
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: audit-2.8-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 12:18:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1420851, 1476406    

Description emahoney 2016-11-28 18:07:58 UTC 
Description of problem:

Currently you can only use non-equality comparisons for \timestamp, \timestamp_ex and \record_type. Allowing non-equality comparisons will allow users of audit-viewer to put in values such as UID >= 500 rather than having to one-by-one do UID =500, UID =501 ... etc. 

Here is the response from the maintainter:
~~~
ausearch-expression(5) says
Evaluate  the  "value" of field, and compare it to value.  A "value" may be defined for any field or virtual field, but no "value" is currently defined for any audit record field. … If field does not define a "value", an error is reported when parsing the expression.

i.e. non-equality comparisons of anything but \timestamp, \timestamp_ex and \record_type are not currently possible.
~~~


Steps to Reproduce:
1.Enter value in audit-viewer as a non-equality expression UID > 500
2.
3.

Actual results:
When you use a value like UID > 500 it errors out


Expected results:
Returns audit for UIDs greater than 500. 

Additional info:
N/A
Comment 3 Steve Grubb 2017-10-09 12:48:16 UTC 
Fixed in upstream commit c661ba7.
Comment 4 Steve Grubb 2017-10-09 12:50:42 UTC 
Test program to check this feature:

#include <stdio.h>
#include <auparse.h>
#include <stdlib.h>

#define LOG "./audit.log"

int main(void)
{
        auparse_state_t *au;
        char *error = NULL;
        char expr[1024];

        snprintf(expr, sizeof(expr),
                "(auid >= 500 && auid <= 5000)"); 
                //"(\\record_type >= 1130 && \\record_type <= 1140)");

        au = auparse_init(AUSOURCE_FILE, LOG);
        if (ausearch_add_expression(au, expr, &error, AUSEARCH_RULE_CLEAR)) {
                fprintf(stderr, "Criteria error: %s\n", error);
                free(error);
        }
        while (ausearch_next_event(au) > 0) {
                int i_auid, serial;
                const char *auid;
                int type = auparse_get_type(au);
                auid = auparse_find_field(au, "auid");
                if (auid) {
                        i_auid = auparse_get_field_int(au);
                        serial = auparse_get_serial(au);
                        printf("type:%d, auid:%d serial:%d\n",
                                        type, i_auid, serial);
                }
        }
        auparse_destroy(au);
        return 0;
}
Comment 5 Steve Grubb 2017-10-10 19:59:56 UTC 
audit-2.8-1.el7 was built to resolve this issue.
Comment 10 errata-xmlrpc 2018-04-10 12:18:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0760