Bug 983711

Summary: Include audit package included in distribution
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Bob Buckley <bbuckley>
Component: distributionAssignee: Anthony Towns <atowns>
Status: CLOSED ERRATA QA Contact: Rejy M Cyriac <rcyriac>
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: flanagan, rcyriac, rhs-bugs, shaines, surs
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-23 22:32:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bob Buckley 2013-07-11 18:27:49 UTC
Description of problem: audit_libs are included in distribution but not audit package itself and it is required by customer for security policy.  Customer does not want to be left to select version to load since it could affect support stature.

Version-Release number of selected component (if applicable): Noted on 2.0 but also missing from 2.1


How reproducible: N/A


Steps to Reproduce: N/A
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Anthony Towns 2013-08-06 02:31:20 UTC
audit should be included as of RHS-2.1-20130805.n.0

Comment 3 Rejy M Cyriac 2013-08-07 08:17:29 UTC
Verified.

'audit' packages are available, 'auditd' is set to run at boot, 'auditd' is running on system, and log file exists.

----------------------------------------------------------------

# cat /etc/redhat-storage-release 
Red Hat Storage Server 2.1

# rpm -qa | grep audit
audit-2.2-2.el6.x86_64
audit-libs-2.2-2.el6.x86_64
audit-libs-python-2.2-2.el6.x86_64

# service auditd status
auditd (pid  8753) is running...

# chkconfig --list auditd
auditd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off

# ps aux | grep audit |  grep -v grep
root      1248  0.0  0.0      0     0 ?        S    05:19   0:00 [kauditd]
root      1532  0.0  0.0  27656   888 ?        S<sl 05:20   0:00 auditd

# ls -l /var/log/audit/audit.log 
-rw------- 1 root root 174127 Aug  7 08:01 /var/log/audit/audit.log

----------------------------------------------------------------

Basic functional check performed using 'auditctl' and 'ausearch' commands.

----------------------------------------------------------------

# auditctl -w /etc/shadow -p wa -k shadow_change

# auditctl -l
LIST_RULES: exit,always watch=/etc/shadow perm=wa key=shadow_change

# passwd root
....
passwd: all authentication tokens updated successfully.

# ausearch -k shadow_change
----
time->Wed Aug  7 08:07:29 2013
type=CONFIG_CHANGE msg=audit(1375843049.672:285): auid=0 ses=3 op="add rule" key="shadow_change" list=4 res=1
----
time->Wed Aug  7 08:07:47 2013
type=PATH msg=audit(1375843067.097:287): item=4 name="/etc/shadow" inode=3670993 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1375843067.097:287): item=3 name="/etc/shadow" inode=3671712 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1375843067.097:287): item=2 name="/etc/nshadow" inode=3670993 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1375843067.097:287): item=1 name="/etc/" inode=3670017 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1375843067.097:287): item=0 name="/etc/" inode=3670017 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1375843067.097:287):  cwd="/root"
type=SYSCALL msg=audit(1375843067.097:287): arch=c000003e syscall=82 success=yes exit=0 a0=7fa4d9346aa3 a1=7fa4d9346a97 a2=7fa4e0c88ed8 a3=0 items=5 ppid=2978 pid=5175 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="passwd" exe="/usr/bin/passwd" key="shadow_change"
----
time->Wed Aug  7 08:07:47 2013
type=CONFIG_CHANGE msg=audit(1375843067.097:286): auid=0 ses=3 op="updated rules" path="/etc/shadow" key="shadow_change" list=4 res=1

# auditctl -D
No rules

# auditctl -l
No rules

----------------------------------------------------------------

Comment 4 Scott Haines 2013-09-23 22:32:15 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. 

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1262.html