RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1241634 - LOG_AUTH/LOG_AUTHPRIV should be supported facilities in audispd syslog plugin
Summary: LOG_AUTH/LOG_AUTHPRIV should be supported facilities in audispd syslog plugin
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit
Version: 7.2
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: 7.3
Assignee: Steve Grubb
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-09 16:28 UTC by Christopher Cashell
Modified: 2016-11-04 06:12 UTC (History)
6 users (show)

Fixed In Version: audit-2.6.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 06:12:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2418 0 normal SHIPPED_LIVE audit bug fix and enhancement update 2016-11-03 13:58:32 UTC

Description Christopher Cashell 2015-07-09 16:28:05 UTC 
Description of problem:

The audispd syslog plugin should accept LOG_AUTH and LOG_AUTHPRIV as available facilities for logging.  auditd is often used for logging "auth" related activity, and the AUTH or AUTHPRIV facilities are the logical location facility they should be logged to.

Version-Release number of selected component (if applicable):

all

How reproducible:

always

Steps to Reproduce:

1. Edit /etc/audisp/plugins.d/syslog.conf to include the "args" option of LOG_AUTH or LOG_AUTHPRIV
2. Restart auditd/audispd

Actual results:

An error saying that LOG_AUTH or LOG_AUTHPRIV are unknown facilities.

Expected results:

No error is seen, and logs are sent to syslog with the LOG_AUTH or LOG_AUTHPRIV facility.

Additional info:

Fix is simply adding the entries to audispd-builtins.c:

--- orig/audit-2.4.2/audisp/audispd-builtins.c  2015-04-28 15:03:04.000000000 -0500
+++ audit-2.4.2/audisp/audispd-builtins.c       2015-07-07 10:43:38.000000000 -0500
@@ -302,6 +302,10 @@
                                facility = LOG_LOCAL6;
                        else if (strcasecmp(conf->args[i], "LOG_LOCAL7") == 0)
                                facility = LOG_LOCAL7;
+                       else if (strcasecmp(conf->args[i], "LOG_AUTH") == 0)
+                               facility = LOG_AUTH;
+                       else if (strcasecmp(conf->args[i], "LOG_AUTHPRIV") == 0)
+                               facility = LOG_AUTHPRIV;
                        else {
                                syslog(LOG_ERR,
                                        "Unknown log priority/facility %s",
Comment 2 Steve Grubb 2015-10-13 15:45:21 UTC 
I think the merits of this request should have been discussed on the linux-audit mail list to see if anyone else has an opinion.
Comment 3 Christopher Cashell 2015-10-13 22:54:13 UTC 
(In reply to Steve Grubb from comment #2)
> I think the merits of this request should have been discussed on the
> linux-audit mail list to see if anyone else has an opinion.

I wasn't trying to bypass anyone else's opinions.  When I submitted this, I wasn't sure how or where to suggest this.

I was setting up audit logging, realized that it wasn't accepting the facilities I expected, so I grabbed the source, patched mine to do what I needed, and threw this bug report up here with my (trivial) patch for it.

If there is a mailing list where this can or should be discussed for possible inclusion, I'd be happy to send it there.  I've installed my patched package on a bunch of internal servers to fit with our audit logging requirements, but I'd love to not have to maintain it.

To confirm, linux-audit is where you would like it sent?
Comment 4 Steve Grubb 2015-10-14 00:45:51 UTC 
Yes, that is the mail list. But ask it as a question if other people would like to have this capability. Thanks! If you are not subscribed, I can allow the post through without you needing to subscribe.
Comment 7 Steve Grubb 2016-06-03 20:54:02 UTC 
This landed in the 2.5 release upstream. At this point its not likely to go into RHEL6. It will be in the next RHEL7 update. Moving this bz to RHEL7 for QE testing.
Comment 10 Ondrej Moriš 2016-07-07 15:23:26 UTC 
Both LOG_AUTH and LOG_AUTHPRIV facilities are working but there is a minor issue remaining in the config file - none of the new facilities is mentioned there:

# cat /etc/audisp/plugins.d/syslog.conf
# This file controls the configuration of the syslog plugin.
# It simply takes events and writes them to syslog. The
# arguments provided can be the default priority that you
# want the events written with. And optionally, you can give
# a second argument indicating the facility that you want events
# logged to. Valid options are LOG_LOCAL0 through 7.
Comment 11 Steve Grubb 2016-07-07 15:36:41 UTC 
Fix in upstream commit 1329.
Comment 12 Ondrej Moriš 2016-07-08 12:23:03 UTC 
Thanks Steve. 

Bug is now successfully reproduced and verified (TJ#1395546). Facilities LOG_USER, LOG_SYSLOG_ LOG_AUTH and LOG_AUTHPRIV are now supported by the plug-in. The only issues found is mentioned in Comment #10 and already resolved in upstream (Comment #11). In case of future respin in 7.3 errata, it would be good to include that commit.
Comment 14 errata-xmlrpc 2016-11-04 06:12:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2418.html
Note You need to log in before you can comment on or make changes to this bug.