Bug 1625156

Summary: audisp-remote does not connect when remote ending action is not set to 'reconnect'
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej Moriš <omoris>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6Keywords: Regression
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: audit-2.8.5-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:03:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1256920    

Description Ondrej Moriš 2018-09-04 09:30:57 UTC 
Description of problem:

When using audisp-remote plugin for audit remote logging, connection from client to server is established only if client sets 'reconnect' as remote ending action. With other setting connection fails.  

Version-Release number of selected component (if applicable):

audit-2.8.4-4.el7

How reproducible:

100%

Steps to Reproduce:

0. Generate and alter sample message for testing
   (a) auditctl -m "ABC"
   (b) ausearch -m USER -r | tail -1 >test.msg
   (c) sed -i 's/ABC/DEF/' test.msg
   
1. Let machine be both client and server for audit remote logging
   (a) add tcp_listen_port = 60 to /etc/audit/auditd.conf
   (b) add remote_server = 127.0.0.1 to /etc/audisp/audisp-remote.conf
   (c) add port = 60 to /etc/audisp/audisp-remote.conf
   (d) add remote_ending_action = ignore to /etc/audisp/audisp-remote.conf

2. Restart auditd service 
   (a) service auditd restart

3. Act as a client and sent message to server via audisp-remote
   (a) ( echo test.msg; sleep 5 ) | audisp-remote

4. Check that message arrived and check /var/log/messages too.
   (a) grep audisp-remote /var/log/messages | tail -3
   (b) ausearch -ts recent -m USER

Expected results:

/var/log/messages contains "Connected to 127.0.0.1":

audisp-remote: Audisp-remote started with queue_size: 0
audisp-remote: Connected to 127.0.0.1
audisp-remote: audisp-remote is exiting on stop request, queue_size: 0

original and remote messages are logged:
----
time->Tue Sep  4 05:15:29 2018
type=USER msg=audit(1536052529.347:405): pid=10766 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='ABC exe="/usr/sbin/auditctl" hostname=qeos-57.lab.eng.rdu2.redhat.com addr=? terminal=pts/0 res=success'
----
time->Tue Sep  4 05:15:29 2018
type=USER msg=audit(1536052529.347:405): pid=10766 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='DEF exe="/usr/sbin/auditctl" hostname=qeos-57.lab.eng.rdu2.redhat.com addr=? terminal=pts/0 res=success'

Actual results:

audisp-remote does not connect:

audisp-remote: Audisp-remote started with queue_size: 0
audisp-remote: audisp-remote is exiting on stop request, queue_size: 1

remote message is missing:
----
time->Tue Sep  4 05:25:46 2018
type=USER msg=audit(1536053146.045:415): pid=11321 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='ABC exe="/usr/sbin/auditctl" hostname=qeos-57.lab.eng.rdu2.redhat.com addr=? terminal=pts/0 res=success'

Additional info:

 * when remote_ending_action is set to reconnect scenario 
   works as expected
 * when remote_ending_action is set to something else, it 
   has no effect, ie. syslog action causes no syslog messages,
   halt action does not cause daemon halt etc.
 * in audit-2.8.1-3 it worked fine
Comment 4 Steve Grubb 2018-12-06 20:34:44 UTC 
This is fixed by upstream commit e9d9c15.
Comment 5 Steve Grubb 2019-03-05 18:02:40 UTC 
audit-2.8.5-1.el7 was built to address this issue.
Comment 9 errata-xmlrpc 2019-08-06 13:03:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2191