Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 1049925

Summary: ausearch issues found by ausearch-test
Product: Red Hat Enterprise Linux 5 Reporter: Ondrej Moriš <omoris>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.10CC: omoris
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-02 13:23:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Audit log file used for testing none

Description Ondrej Moriš 2014-01-08 13:54:58 UTC 
Created attachment 847154 [details]
Audit log file used for testing

Description of problem:

Using ausearch-test [1], we found several issues in audit-test, details follows:

# ./ausearch-test 
Starting the test

Failed to locate a record
Current test option: -ui 0
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: -ul 4294967295
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: --session 4294967295
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295 --session 4294967295
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: -su system_u:system_r:sshd_t:s0-s0:c0.c1023
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295 --session 4294967295 -su system_u:system_r:sshd_t:s0-s0:c0.c1023
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: -x "/usr/sbin/sshd"
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295 --session 4294967295 -su system_u:system_r:sshd_t:s0-s0:c0.c1023 -x "/usr/sbin/sshd"
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: -hn 10.34.24.117
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295 --session 4294967295 -su system_u:system_r:sshd_t:s0-s0:c0.c1023 -x "/usr/sbin/sshd" -hn 10.34.24.117
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: --success yes
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295 --session 4294967295 -su system_u:system_r:sshd_t:s0-s0:c0.c1023 -x "/usr/sbin/sshd" -hn 10.34.24.117 --success yes
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: -f "log"
Command used: ausearch -if ./audit.log -a 64991 -m AVC -p 24194 -c "cat" -f "log"
Full record being tested: type=AVC msg=audit(1314775502.467:64991): avc:  denied  { read } for  pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file

Failed to locate a record
Current test option: -se system_u:system_r:logwatch_t:s0-s0:c0.c1023
Command used: ausearch -if ./audit.log -a 64991 -m AVC -p 24194 -c "cat" -f "log" -se system_u:system_r:logwatch_t:s0-s0:c0.c1023
Full record being tested: type=AVC msg=audit(1314775502.467:64991): avc:  denied  { read } for  pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file

Failed to locate a record
Current test option: -se unconfined_u:object_r:var_spool_t:s0
Command used: ausearch -if ./audit.log -a 64991 -m AVC -p 24194 -c "cat" -f "log" -se system_u:system_r:logwatch_t:s0-s0:c0.c1023 -se unconfined_u:object_r:var_spool_t:s0
Full record being tested: type=AVC msg=audit(1314775502.467:64991): avc:  denied  { read } for  pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file

[1] http://people.redhat.com/sgrubb/audit/ausearch-test-0.4.tar.gz

Version-Release number of selected component (if applicable):

audit-1.8-2.el5

How reproducible:

100%

Steps to Reproduce:
1. see above

Additional info:

See attached audit.log (it is not really complete, many even types are missing, but the most common ones are included).
Comment 1 RHEL Program Management 2014-02-25 00:10:40 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 2 RHEL Program Management 2014-03-07 13:56:34 UTC 
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Comment 3 RHEL Program Management 2014-06-02 13:23:37 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).