Bug 235398
| Summary: | LSPP: ausearch does not correctly find out of order records | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Loulwa Salem <loulwa> | ||||||||
| Component: | audit | Assignee: | Steve Grubb <sgrubb> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | high | ||||||||||
| Version: | 5.0 | CC: | cward, dmair, iboverma, krisw, ldolihal, linda.knippers, ltcgcw, ohudlick, ramsdell, rlerch, rpacheco, tao | ||||||||
| Target Milestone: | --- | Keywords: | OtherQA | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: |
the user-space audit tools ausearch and aureport are used to search audit records. They did not take into account that records of one event could be interlaces with records of another event. The logic for these applications has been corrected to separate events into linked lists and better determine the end of events based on the records of just the event in question. Both ausearch and aureport can now handle events with interlaced records.
|
Story Points: | --- | ||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2009-09-02 09:50:15 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 391501 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Loulwa Salem
2007-04-05 15:48:39 UTC
Created attachment 151770 [details]
Log file that provides expected ausearch results
Created attachment 151771 [details]
Log file that does not provide expected ausearch results
This is true and that's the current design since RHEL4. The TODO file in the audit package documents that its scheduled to be fixed sometime around 1.5.3/4 version in auparse library and then ausearch/report reworked to use the auparse library. It is targeted for RHEL5.1 delivery. kweidner will ask the evaluator if this is OK for the LSPP evaluation. A workaround might be to sort audit trail and pipe to ausearch. I tried the workaround (sorting on the 2nd field) and it seemed to work. Removing from LSPP dependency list, but is still scheduled to be fixed in RHEL5.1. Created attachment 159943 [details]
Script to be used until this bug is fixed
This is a script that performs a stable sort on audit records by serial number,
for use until the bug is fixed.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. ----- Additional Comments From aoolatun.com 2007-10-24 10:46 EDT ------- Mr Grubb I was able to recreate the problem(Steps to Reproduce) on RHEL5.1 on a machine with uname -a : Linux ppc64n-lp1.ltc.austin.ibm.com 2.6.18-45.el5 #1 SMP Tue Sep 4 17:06:15 EDT 2007 ppc64 ppc64 ppc64 GNU/Linux I also ran the tests as described in the problem description, when i ran the first test: ausearch -c python -if ausearch-good-audit.log The results I obtained were for 3 types "CWD, AUC_PATH AND SYSCALL" I then ran the second test: ausearch -c python -if ausearch-bad-audit.log The result I obtained was for only 1 type "SYSCALL" I was hoping you could please point me in the right direction on what next to do to resolve this bug. Thank you. This event sent from IssueTracker by jkachuck issue 118126 What needs to happen is the problem be fixed in the auparse library and then ausearch re-written to use auparse. The fix in auparse is to create linked lists of the event linked lists and apply aging rules to them to decide which ones are complete. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Ausearch has finally be fixed in svn to reassembled audit events. The fix will be released in the audit 1.7.10 package. audit-1.7.13-1 was built to solve this problem. Linda, Can I ask you the obvious, test and report results here? Thanks! Ron Ron, Loulwa filed the bugzilla so perhaps you should be asking her? Is the package with the fix is only in rawhide right now? I don't have a fedora system to test on at the moment but when I do and if Loulwa or one of the other contributors to this bug hasn't checked it out, I'll give it a try. -- ljk Linda, Apologies for the lack of specificity. This is slated for the 5.4 alpha. We would like both IBM and HP to test as we want to ensure that 1) we resolve the reported bug and 2) did not cause regressions in the process. Thanks in advance for your testing and results. ;-) Ok, we'll be looking for the alpha. I believe that RH is also running our audit test suite so hopefully that will spot any possible regressions. -- ljk HP, IBM, Alpha bits are now available. Please test and report back your initial results. Your support here is greatly appreciated. ~~ Attention Partners RHEL 5.4 Partner Alpha Released! ~~ RHEL 5.4 Partner Alpha has been released on partners.redhat.com. There should be a fix present that addresses this particular request. Please test and report back your results here, at your earliest convenience. Our Public Beta release is just around the corner! If you encounter any issues, please set the bug back to the ASSIGNED state and describe the issues you encountered. If you have verified the request functions as expected, please set your Partner ID in the Partner field above to indicate successful test results. Do not flip the bug status to VERIFIED. Further questions can be directed to your Red Hat Partner Manager. Thanks! I tested this using Loulwa's original audit logs on the rhel5.4 alpha and it seems to work. I didn't try generating new, out of order, audit logs but I assume that would work as well. -- ljk Thanks for the testing, Linda! I tried this with RHEL 5.4 Snap 5 on a ppc64 LPAR. The bug appears to be fixed. I think we can finally close it. Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: the user-space audit tools use ausearch to search audit records. Ausearch does not contain logic to handle event-linked lists and previously, could not find records if they were out of chronological order. The logic to link these lists together and evaluate whether the list is complete is now available in the auparse library. Ausearch now uses auparse to handle these lists so that it can find records even when they are out of order. Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,6 +1 @@ -the user-space audit tools use ausearch to search audit records. Ausearch +the user-space audit tools ausearch and aureport are used to search audit records. They did not take into account that records of one event could be interlaces with records of another event. The logic for these applications has been corrected to separate events into linked lists and better determine the end of events based on the records of just the event in question. Both ausearch and aureport can now handle events with interlaced records.-does not contain logic to handle event-linked lists and previously, could -not find records if they were out of chronological order. The logic to link -these lists together and evaluate whether the list is complete is now -available in the auparse library. Ausearch now uses auparse to handle these -lists so that it can find records even when they are out of order. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1303.html |