Bug 1713432
| Summary: | useradd audit event user id field cannot be interpreted | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Steve Grubb <sgrubb> | ||||
| Component: | shadow-utils | Assignee: | Tomas Mraz <tmraz> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Martin Zelený <mzeleny> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 8.0 | CC: | dapospis, mzeleny, ssorce, tmraz | ||||
| Target Milestone: | rc | Keywords: | Triaged | ||||
| Target Release: | 8.1 | Flags: | ssorce:
mirror+
|
||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | shadow-utils-4.6-8.el8 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-11-05 22:28:30 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1510124 | ||||||
| Attachments: |
|
||||||
Comment on attachment 1572611 [details]
Patch to fix issue
Makes sense.
> The new record has acct="user18274" and does not have ID.
> Is this test sufficient? Thanks.
Yes, it is.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3618 |
Created attachment 1572611 [details] Patch to fix issue Description of problem: When useradd sends it's ADD_USER event, it is filling in the id field. This is not yet written to disk. When auditd sees the event and the log format is enriched, auditd tries to lookup the user name but it does not exist. This causes the event to never be resolvable since ausearch relies on the lookup information attached by auditd. The fix is to not send the id information for any event until after close_files() is called. Just the acct field is all that is needed to fix the problem. Will attach a patch that corrects the issue. Version-Release number of selected component (if applicable): shadow-utils-4.6-7.el8 Steps to Reproduce: 1. useradd -c iam2 -G wheel iam2 2. ausearch --start recent -i -m ADD_USER 3. Observe id field says unknown(1002) or some other number Expected results: No unknown results. It should switch to show acct=someone