Bug 1049925 - ausearch issues found by ausearch-test
Summary: ausearch issues found by ausearch-test
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit
Version: 5.10
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-08 13:54 UTC by Ondrej Moriš
Modified: 2014-08-14 09:16 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-02 13:23:37 UTC
Target Upstream Version:


Attachments (Terms of Use)
Audit log file used for testing (7.62 KB, text/x-log)
2014-01-08 13:54 UTC, Ondrej Moriš
no flags Details

Description Ondrej Moriš 2014-01-08 13:54:58 UTC
Created attachment 847154 [details]
Audit log file used for testing

Description of problem:

Using ausearch-test [1], we found several issues in audit-test, details follows:

# ./ausearch-test 
Starting the test

Failed to locate a record
Current test option: -ui 0
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: -ul 4294967295
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: --session 4294967295
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295 --session 4294967295
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: -su system_u:system_r:sshd_t:s0-s0:c0.c1023
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295 --session 4294967295 -su system_u:system_r:sshd_t:s0-s0:c0.c1023
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: -x "/usr/sbin/sshd"
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295 --session 4294967295 -su system_u:system_r:sshd_t:s0-s0:c0.c1023 -x "/usr/sbin/sshd"
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: -hn 10.34.24.117
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295 --session 4294967295 -su system_u:system_r:sshd_t:s0-s0:c0.c1023 -x "/usr/sbin/sshd" -hn 10.34.24.117
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: --success yes
Command used: ausearch -if ./audit.log -a 63 -m CRYPTO_SESSION -p 11200 -ui 0 -ul 4294967295 --session 4294967295 -su system_u:system_r:sshd_t:s0-s0:c0.c1023 -x "/usr/sbin/sshd" -hn 10.34.24.117 --success yes
Full record being tested: type=CRYPTO_SESSION msg=audit(1389178561.251:63): pid=11200 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5 spid=11201 suid=74 rport=33649 laddr=10.16.64.133 lport exe="/usr/sbin/sshd" hostname=? addr=10.34.24.117 terminal=? res=success'

Failed to locate a record
Current test option: -f "log"
Command used: ausearch -if ./audit.log -a 64991 -m AVC -p 24194 -c "cat" -f "log"
Full record being tested: type=AVC msg=audit(1314775502.467:64991): avc:  denied  { read } for  pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file

Failed to locate a record
Current test option: -se system_u:system_r:logwatch_t:s0-s0:c0.c1023
Command used: ausearch -if ./audit.log -a 64991 -m AVC -p 24194 -c "cat" -f "log" -se system_u:system_r:logwatch_t:s0-s0:c0.c1023
Full record being tested: type=AVC msg=audit(1314775502.467:64991): avc:  denied  { read } for  pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file

Failed to locate a record
Current test option: -se unconfined_u:object_r:var_spool_t:s0
Command used: ausearch -if ./audit.log -a 64991 -m AVC -p 24194 -c "cat" -f "log" -se system_u:system_r:logwatch_t:s0-s0:c0.c1023 -se unconfined_u:object_r:var_spool_t:s0
Full record being tested: type=AVC msg=audit(1314775502.467:64991): avc:  denied  { read } for  pid=24194 comm="cat" name="log" dev=cciss/c0d0p2 ino=2433983 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=file

[1] http://people.redhat.com/sgrubb/audit/ausearch-test-0.4.tar.gz

Version-Release number of selected component (if applicable):

audit-1.8-2.el5

How reproducible:

100%

Steps to Reproduce:
1. see above

Additional info:

See attached audit.log (it is not really complete, many even types are missing, but the most common ones are included).

Comment 1 RHEL Program Management 2014-02-25 00:10:40 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 2 RHEL Program Management 2014-03-07 13:56:34 UTC
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.

Comment 3 RHEL Program Management 2014-06-02 13:23:37 UTC
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).


Note You need to log in before you can comment on or make changes to this bug.