Bug 1049916
| Summary: | ausearch issues found by ausearch-test | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Ondrej Moriš <omoris> | |
| Component: | audit | Assignee: | Steve Grubb <sgrubb> | |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.5 | CC: | ksrot, omoris, pbokoc, pkis, sgrubb | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | audit-2.3.7-1.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1053804 (view as bug list) | Environment: | ||
| Last Closed: | 2014-10-14 07:14:41 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
I am changing summary to a more general one and adding the full summary of issues found using attached testing audit.log (many event types are missing, but the most common ones are included).
# ./ausearch-test
Starting the test
Failed to locate a record
Current test option: -f "log"
Command used: ausearch -if ./audit.log -a 64991 -m AVC -p 24194 -c "cat" -f "log"
Full record being tested: type=AVC msg=audit(1314775502.467:64991): avc: denied { read } for pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file
Failed to locate a record
Current test option: -se system_u:system_r:logwatch_t:s0-s0:c0.c1023
Command used: ausearch -if ./audit.log -a 64991 -m AVC -p 24194 -c "cat" -f "log" -se system_u:system_r:logwatch_t:s0-s0:c0.c1023
Full record being tested: type=AVC msg=audit(1314775502.467:64991): avc: denied { read } for pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file
Failed to locate a record
Current test option: -se unconfined_u:object_r:var_spool_t:s0
Command used: ausearch -if ./audit.log -a 64991 -m AVC -p 24194 -c "cat" -f "log" -se system_u:system_r:logwatch_t:s0-s0:c0.c1023 -se unconfined_u:object_r:var_spool_t:s0
Full record being tested: type=AVC msg=audit(1314775502.467:64991): avc: denied { read } for pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file
any chance of getting a log file that contains the events that ausearch is missing? It looks like there are 2 basic issues being reported here. One is not parsing the name= field and this shows up as the current option under test is "-f". This is fixed in upstream commit 886. The second issue is related to searching on -se and expecting to match a subject. So far, I have not been able to reproduce it to study the problem. I believe that there is no issue with -se option even though they were reported by the test in the description. I have double-checked it and those -se failures are caused by using -f "log". If -f "log" is omitted from, for instance: ausearch -if ./audit.log -a 64991 -m AVC -p 24194 -c "cat" -f "log" -se system_u:system_r:logwatch_t:s0-s0:c0.c1023 -se unconfined_u:object_r:var_spool_t:s0 then it prints the correct audit event. But I would like to check it once we will have a (scratch) build. audit-2.3.7-1.el6 was built to resolve this issue. I see a few more issues on architectures other than x86_64. s390x & ppc64: Failed to locate a record Current test option: -f unknown family(4096) Command used: ausearch -if audit.log -a 156 -m SOCKADDR -f unknown family(4096) Full record being tested: type=SOCKADDR msg=audit(1307542302.175:156): saddr=100000000000000000000000 Done - 1 problems detected i386: a lot of problems detected, each of them is caused by '--session 4294967295', for instance: Failed to locate a record Current test option: --session 4294967295 Command used: ausearch -if audit.log -a 3038 -m ANOM_PROMISCUOUS -ul 4294967295 -ui 0 --gid 0 --session 4294967295 Full record being tested: type=ANOM_PROMISCUOUS msg=audit(1302610345.218:3038): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 First issue is caused by incorrect parsing of the event which is happening either in audit lib or in ausearch-test. Second issues might be caused by using sample audit.log generated on x86_64. For item #1, Are these logs created on PPC64 and s390x? I am wondering if the padding in saddr is different causing a misinterpretation. From what I can tell, that should be a netlink address. Might be good to generate an event on sendto against a netlink socket ("autrace /sbin/auditctl -m test" should do it.) Also, what version of the test are you using?
For item #2, sounds like a bad type conversion somewhere. I'll see if I can setup a 32 bit VM to test on.
OK, duplicated the i386 problem. Looking into it. Session ID problem fixed in upstream commit 966. (In reply to Steve Grubb from comment #9) > For item #1, Are these logs created on PPC64 and s390x? I am wondering if > the padding in saddr is different causing a misinterpretation. From what I > can tell, that should be a netlink address. Might be good to generate an > event on sendto against a netlink socket ("autrace /sbin/auditctl -m test" > should do it.) Also, what version of the test are you using? > > For item #2, sounds like a bad type conversion somewhere. I'll see if I can > setup a 32 bit VM to test on. Aforementioned logs were originally created on x86_64. Ausearch works with SOCKADDR-type event created on ppc64: # cat sockaddr.log ---- time->Mon Jul 28 06:33:22 2014 type=SOCKADDR msg=audit(1406543602.814:117): saddr=001000000000000000000000 type=SOCKETCALL msg=audit(1406543602.814:117): nargs=6 a0=3 a1=fffe2f1738c a2=58 a3=0 a4=fffe2f1503c a5=c type=SYSCALL msg=audit(1406543602.814:117): arch=80000015 syscall=102 success=yes exit=88 a0=b a1=fffe2f14f70 a2=58 a3=0 items=0 ppid=7754 pid=7756 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="auditctl" exe="/sbin/auditctl" subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 key=(null) # ./ausearch-test sockaddr.log Starting the test Done - no problems detected Hence as you suggested - misinterpretation is caused by different padding on x86_64 and s390x/ppc64. BTW: I am using ausearch-test-0.5. OK. Good to know. I think the SOCKADDR issue is little endian vs big endian blob being written/read to/from disk without using some ntoh and hton byte flipper. Offhand, I don't know a good solution. If this is a concern, then lets open a bug specifically on this for RHEL7 and address it there in some future update. For the i386 issue, I'll respin the package with a patch fixing that. You are right Steve, it would be best not to test with x86_64-generated log on non-x86_64 architectures, I will change the test to use arch-related logs. This was fixed in upstream commits 977 (ausearch) and 979 (auparse). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1515.html |
Description of problem: Using ausearch-test [1], we found out that ausearch -f ignores specific records, for instance: # cat audit.log ... type=AVC msg=audit(1314775502.467:64991): avc: denied { read } for pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file ... # ausearch -if ./audit.log -f "log" <no matches> [1] http://people.redhat.com/sgrubb/audit/ausearch-test-0.4.tar.gz Version-Release number of selected component (if applicable): audit-2.2-2.el6 How reproducible: 100% Steps to Reproduce: 1. See above Actual results: <no matches> Expected results: type=AVC msg=audit(1314775502.467:64991): avc: denied { read } for pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file Additional info: This issue hits RHEL7 as well (audit-2.3.2-3.el7), I will file a bug there if this will be confirmed as a bug.