Bug 1476406

Summary: Audit package rebase
Product: Red Hat Enterprise Linux 7 Reporter: Steve Grubb <sgrubb>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: medium    
Version: 7.5CC: hannsj_uhl, mjahoda, omoris, sgrubb
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: audit-2.8.1-2.el7 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_audit_ rebased to version 2.8.1 The _audit_ packages have been upgraded to upstream version 2.8.1, which provides a number of bug fixes and enhancements over the previous version. Notable changes are: * Added support for ambient capability fields. * The *Audit* daemon now works also on IPv6. * Added the default port to the `auditd.conf` file. * Fixed the *auvirt* tool to report Access Vector Cache (AVC) messages.
 Story Points: ---
Clone Of:
: 1490387 (view as bug list) Environment:
Last Closed: 2018-04-10 12:18:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 929234, 968303, 982154, 1101605, 1399314, 1406887, 1448526, 1455598, 1475998, 1478516, 1478517, 1478521, 1478528, 1478533, 1478543, 1479911, 1479914, 1482121, 1487352, 1716002, 1741182, 1966454    
Bug Blocks: 1490387    

Description Steve Grubb 2017-07-28 21:53:46 UTC 
Description of problem:
The audit package needs to be rebased to pick up various bug fixes, support kernel work, and to add a few new capabilities.

Bugs that are currently fixed and need picked up:
* Auparse python bindings had numerous issues: returns codes not right, add bindings for auparse_nomalize_subject_kind, AUSOURCE_DESCRIPTOR data source was not working (important for audisp plugin use), 
* Auparse had issues with: doing unnecessary euid check, and some adjustments in auparse_normalize
* aureport was missing anom_abend & seccomp events in anomaly report, it was also not reporting the auid in the login report
* Auditd would not start if a domain name could not be verified for mail delivery, this needed to be optional in case the DNS entry had no A record. The umask was not being restored after creating a log file. Auditd was making audispd exit when it was in enriched mode and client machines were in raw mode. Audispd saw malformed records.

Items scheduled to round out the audit system:
* Auparse_normalizer adjustments to support kernel events missing expected fields.
* Ausearch text mode output adjustments for clarity
* Support for new FANOTIFY Auxiliary record
* Fix remote logging protocol bug where they won't reconnect
* Work up individual queues for audisp plugins so one slow plugin can't backup auditd queues.
* Fix both bz filed against auvirt
* Work on non-equality comparisons for ausearch API of auparse.
* Plus bugs reported as people start to use the new audit enhancements for 7.4.
Comment 1 Steve Grubb 2017-10-10 20:01:37 UTC 
audit-2.8-1.el7 was built to resolve this issue.
Comment 9 errata-xmlrpc 2018-04-10 12:18:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0760