Bug 697013

Summary: audit package rebase
Product: Red Hat Enterprise Linux 5 Reporter: Steve Grubb <sgrubb>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: high    
Version: 5.6CC: omoris
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: audit-1.8-1.el5 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 01:38:04 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Steve Grubb 2011-04-15 11:20:18 EDT
Description of problem:
There have been many improvements in performance, usability, robustness, and most importantly...getting remote logging to have a persistent queue. I can detail the individual improvements in a later comment.
Comment 4 Steve Grubb 2011-10-27 11:37:32 EDT
audit-1.8-1.el5 was built to address this problem.
Comment 5 Steve Grubb 2011-10-28 09:13:33 EDT
This rebase contains the following improvements:
- Performance improvements for ausearch/report
- Fix debug output resolving numeric address
- Fix memory leak in aureport
- Fix parsing state problem in libauparse
- Add new event types
- Improve the robustness of libaudit field encoding functions
- In auparse, add ability to interpret session and capabilities
- Report server issues to remote client
- Update ausearch parsing
- Update auparse to handle virt events
- Make audisp-remote robust
- Add 2 error returns to python bindings
- Update the man pages a little
- Add some debug info to audidp-remote startup and shutdown
- In auditd, if disk_error_action is ignore, limit syslog messages to 5
- Fix some memory leaks
Comment 7 Ondrej Moriš 2011-11-23 16:44:38 EST
Steve, could you give me some specific testing instructions for QE? What need to be tested here? It seems that we have a lot of improvements here. It would be great if you could go thought the list in Comment #5 and append a line or two to explain a particular improvement. Thanks!
Comment 8 Ondrej Moriš 2011-12-06 05:16:45 EST
Steve, ping. Could we have more detailed description of the list in Comment #5? Tomorrow is deadline for QE to verify this rebase (it should be fine in Beta) and I still have only rough idea how to test it.
Comment 9 Steve Grubb 2011-12-06 14:36:46 EST
Almost all of these updates are directly from the audit-2.x branch with little or no changes. So, in a way, they have been tested. But you never know when a patch is off by a couple lines. :)  This page shows the commits if its any help:
https://fedorahosted.org/audit/log/branches/1.8/ChangeLog

- Performance improvements for ausearch/report - not testable other than unable to find things previous searchable.

- Fix debug output resolving numeric address - if you used name_format=FQD and it could not resolve it, then the error message was wrong.
https://fedorahosted.org/audit/changeset/430

- Fix memory leak in aureport - not really testable
https://fedorahosted.org/audit/changeset/475

- Fix parsing state problem in libauparse - not sure how to test it. But it was clearly wrong code: https://fedorahosted.org/audit/changeset/478

- Add new event types - RHEL5 is not really using them, but if it were an aggregating server for RHEL6 then you might want to search on them. These are mostly related to iptables updates.
https://fedorahosted.org/audit/changeset/484

- Improve the robustness of libaudit field encoding functions - this was a bz where passing a NULL value to audit_value_needs_encoding, audit_encode_value, or audit_encode_nv_string would segfault the caller.
https://fedorahosted.org/audit/changeset/484#file4

- In auparse, add ability to interpret session and capabilities
https://fedorahosted.org/audit/changeset/486

- Report server issues to remote client - this was the disk error transmission between server and client.
https://fedorahosted.org/audit/changeset/574

- Update ausearch parsing
https://fedorahosted.org/audit/changeset/486
https://fedorahosted.org/audit/changeset/442

- Update auparse to handle virt events
https://fedorahosted.org/audit/changeset/575

- Make audisp-remote robust - this adds the persistent queue
https://fedorahosted.org/audit/changeset/585

- Add 2 error returns to python bindings
https://fedorahosted.org/audit/changeset/587

- Update the man pages a little
https://fedorahosted.org/audit/changeset/589

- Add some debug info to audisp-remote startup and shutdown - this adds queue size information
https://fedorahosted.org/audit/changeset/591

- In auditd, if disk_error_action is ignore, limit syslog messages to 5. This was the last thing we worked on RHEL6. We probably need to make it match.
https://fedorahosted.org/audit/changeset/595

- Fix some memory leaks - not really testable
https://fedorahosted.org/audit/changeset/596
Comment 10 Ondrej Moriš 2011-12-06 19:23:29 EST
Thanks Steve, this is what I was looking for. Fortunately, there is not much to be tested and those changes seem not to be risky. I went through the list looking into the code and it looks very good. I have to double check a few thing in audit-remote plug-in, but for now, I can honestly switch this bug into SanityOnly verified state. 

I will put it into VERIFIED as long as all testing will be done.
Comment 11 errata-xmlrpc 2012-02-21 01:38:04 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0265.html