RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1032706 - Use --input-logs when calling ausearch
Summary: Use --input-logs when calling ausearch
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sos
Version: 6.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Bryn M. Reeves
QA Contact: David Kutálek
URL:
Whiteboard:
Depends On: 1005202
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-20 15:42 UTC by Keith Robertson
Modified: 2016-07-04 01:34 UTC (History)
9 users (show)

Fixed In Version: sos-2.2-55.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2014-10-14 07:22:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1528 0 normal SHIPPED_LIVE sos bug fix and enhancement update 2014-10-14 01:22:00 UTC

Description Keith Robertson 2013-11-20 15:42:28 UTC 
Description of problem:
ausearch requires a TTY to run.  When running sosreport remotely (e.g. SSH) a TTY may not always be present.  In these scenarios, the execution of the selinux plug-in's [1] needs to be gated by a call to python's 'os.isatty()' function.

Version-Release number of selected component (if applicable):
All

How reproducible:
Very

Steps to Reproduce:
Run execute sosreport from SSH with and without the option for tty "-t".


Additional info:
If the following line in the selinux plug-in [1] is called without a tty check sosreport will hang.

[1] self.collectExtOutput("ausearch -m avc,user_avc -ts today")
Comment 2 Bryn M. Reeves 2013-11-20 16:23:37 UTC 
Thanks for the report. This was noted by the RHEV folks in bug 1010472 and is reported as audit bug 1005202.

I'm reluctant to add an isatty() check to sos right now since the ausearch problem is not fully understood (ausearch hanging is not expected behaviour) so we risk losing potentially useful information on systems that may not even be affected if a fix is made to the ausearch tool.

I think the changes proposed in bug 1005703 will help this in the meantime however - by running all commands under the timeout program we'll at least exit cleanly once the timeout expires and return the rest of the report. Unfortunately that's not scheduled to land until 6.6.

For now the best option is probably to either disable the plugin or request a tty when running in an ssh session.
Comment 3 Keith Robertson 2013-11-20 18:13:43 UTC 
(In reply to Bryn M. Reeves from comment #2)
> Thanks for the report. This was noted by the RHEV folks in bug 1010472 and
> is reported as audit bug 1005202.
> 
> I'm reluctant to add an isatty() check to sos right now since the ausearch
> problem is not fully understood (ausearch hanging is not expected behaviour)
> so we risk losing potentially useful information on systems that may not
> even be affected if a fix is made to the ausearch tool.
> 
> I think the changes proposed in bug 1005703 will help this in the meantime
> however - by running all commands under the timeout program we'll at least
> exit cleanly once the timeout expires and return the rest of the report.
> Unfortunately that's not scheduled to land until 6.6.
> 
> For now the best option is probably to either disable the plugin or request
> a tty when running in an ssh session.

SSH is an example of a case where it is possible to request a TTY.  There are other use cases (e.g. calling SoS from Java) where it is not possible to request a TTY.  As such, it would be beneficial for the plug-in to detect this condition and execute everything except that command.
Comment 4 Bryn M. Reeves 2013-11-20 19:10:19 UTC 
In that case you probably want to wait for either the timeout support or a fixed ausearch (and then depend on the package version of either sos or audit).
Comment 5 Florian Weimer 2013-11-21 07:49:28 UTC 
I had a quick look at the ausearch source code, and these are the results:

ausearch doesn't need a TTY, it alters behavior if the input is a pipe.  This is documented behavior, mentioned in the manpage:

    --input-logs
        Use  the log file location from auditd.conf as input for search‐
        ing. This is needed if you are using ausearch from a cron job.

Therefore, your issue should go away if you call ausearch with the --input-logs option.
Comment 6 Bryn M. Reeves 2013-11-21 11:00:09 UTC 
Thanks Florian - this sounds like a much better option to allow TTYless sos runs to complete. I'll test this out here and get a fix upstream.

Looking at ausearch source this is certainly intended - --input-logs sets the force_logs global which changes the behaviour in aureport.c's main():

113         if (user_file)
114                 rc = process_file(user_file);
115         else if (force_logs)
116                 rc = process_logs(&config);
117         else if (is_pipe(0))
118                 rc = process_stdin();
119         else
120                 rc = process_logs(&config);

So the default behaviour when stdin is a pipe is to read a log file path from stdin and process that. Sure enough, sending '/some/path<EOF>' down the pipe causes ausearch to process that file and exit.

It seems confusing that although the option to turn this behaviour off is documented there is no mention of the fact that the audit tools are expecting a path on stdin in this situation.

I'll mention this in bug 1005202 to see if we can get the docs updated.
Comment 7 Bryn M. Reeves 2013-11-21 11:09:28 UTC 
aureport/ausearch rather - both use the same logic.
Comment 8 Bryn M. Reeves 2013-11-21 11:11:20 UTC 
I misread; the commands expect the log data rather than the file path on stdin - this is mentioned in the opening paragraph of the man pages for both so I think we can close bug 1005202 NOTABUG.
Comment 9 Steve Grubb 2013-11-21 18:22:28 UTC 
The audit tools are designed to be piped together. For example, you might do something like this:

ausearch --start today -k code-injection --raw | aureport --summary -x -i
ausearch --start today -m avc --raw | aureport --summary -x -i

So, if you need to force the search to the logs, use --imput-logs as mentioned previously.
Comment 10 RHEL Program Management 2013-11-24 18:31:24 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 13 Bryn M. Reeves 2014-06-20 10:03:07 UTC 
commit cdb987afb42da238828fb49fdb539a4b9621f8ec
Author: Bryn M. Reeves <bmr>
Date:   Fri Jun 20 11:01:08 2014 +0100

    [selinux] pass --input-logs when calling ausearch
    
    If ausearch is run without a tty it expects log data to be fed on
    stdin. This causes the selinux plugin to appear to hang when run
    e.g. over an ssh session. Force the command to use the logs
    defined in auditd.conf by specifying --input-logs.
    
    Signed-off-by: Bryn M. Reeves <bmr>
Comment 16 errata-xmlrpc 2014-10-14 07:22:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1528.html
Note You need to log in before you can comment on or make changes to this bug.