Bug 483608

Summary: audit updates for 5.4
Product: Red Hat Enterprise Linux 5 Reporter: Steve Grubb <sgrubb>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.4CC: ofourdan, ohudlick, rlerch, tao
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
The audit package has been updated to version 1.7.13. This update provides many bugfixes and enhancements, most notably: * audit can now handle interlaced records. * On bi-arch systems, a warning is now emitted if audit rules do not cover both 64 & 32 bit system calls of the same name. This warning is designed to assist troubleshooting audit rules.
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-02 09:50:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Grubb 2009-02-02 16:15:57 UTC
Description of problem:
The audit system needs some updates for the 5.4 release:

1) The user space audit tools cannot handle interlaced records
2) The display of TTY audit events doesn't work too well
3) Remote logging needs many improvements
4) On busy systems, loop a few times when checking for the event ACK
5) On biarch system, warn if audit rules don't cover both 64 & 32 bit syscalls
6) Add definitions for crypto events
7) Fix regression where msgtype couldn't be used for a range of types

Comment 5 Steve Grubb 2009-04-14 18:41:47 UTC
There was another bz filed, 495711, which found a regression in the audit rules. Need to make sure that errata testing includes running the SGI test suite from their eval since it caught the problem. The current upstream audit package has this bug fixed, but we just need to make sure it stays fixed.

Comment 6 Steve Grubb 2009-04-22 21:26:45 UTC
audit-1.7.13-1 was built for this issue.

Comment 11 Steve Grubb 2009-06-26 16:05:36 UTC
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
The audit package was rebased to the newer upstream version 1.7.13. A couple of the bug fixes that it provides include:

* The user space audit tools could not handle interlaced records.

* On biarch system, a warning is now emitted if audit rules don't cover both 64 & 32 bit syscalls of the same name. This is to aid in finding rules that are not auditing what was intended.

Comment 12 Ryan Lerch 2009-06-29 04:16:58 UTC
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,5 +1,5 @@
-The audit package was rebased to the newer upstream version 1.7.13. A couple of the bug fixes that it provides include:
+The audit package has been updated to version 1.7.13. This update provides many bugfixes and enhancements, most notably:
 
-* The user space audit tools could not handle interlaced records.
+* audit can now handle interlaced records.
 
-* On biarch system, a warning is now emitted if audit rules don't cover both 64 & 32 bit syscalls of the same name. This is to aid in finding rules that are not auditing what was intended.+* On bi-arch systems, a warning is now emitted if audit rules do not cover both 64 & 32 bit system calls of the same name. This warning is designed  to assist troubleshooting audit rules.

Comment 15 errata-xmlrpc 2009-09-02 09:50:23 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1303.html