1260873 – ausearch fails to find a ppc64le record if followed by another arch

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1260873 - ausearch fails to find a ppc64le record if followed by another arch

Summary: ausearch fails to find a ppc64le record if followed by another arch

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	audit
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Grubb
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-08 06:29 UTC by Karel Srot
Modified:	2016-06-17 11:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-17 11:24:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Karel Srot 2015-09-08 06:29:08 UTC

Description of problem:

Depending on the order of architectures ausearch fails to find a record when ppc64le record is followed by a different architecture (or prints both when the order is opposite).

# rpm -q audit
audit-2.4.1-5.el7.ppc64le
# cat test.log
type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c0000015 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0
type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c000003e syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0

# ausearch -if test.log -sc io_cancel -i
<no matches>
# 
# # now lets switch record order
# cat test.log
type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c000003e syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0
type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c0000015 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0

# ausearch -if test.log -sc io_cancel -i
----
type=SECCOMP msg=audit(03/17/2014 13:16:35.898:760) : auid=test uid=root gid=root ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm=test sig=SIGSYS arch=ppc64le syscall=io_cancel compat=0 ip=0x7fe37deb9c09 code=kill 
type=SECCOMP msg=audit(03/17/2014 13:16:35.898:760) : auid=test uid=root gid=root ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm=test sig=SIGSYS arch=x86_64 syscall=exit_group compat=0 ip=0x7fe37deb9c09 code=kill

Comment 1 Karel Srot 2015-09-08 06:40:55 UTC

So the bug doesn't seem to be hw specific, I have reproduced it also on x86_64
But the requirement here is that both audit record have the same timestamp.

Therefore I am reducing the severity.

# rpm -q audit
audit-2.4.1-5.el7.x86_64
# ausyscall --dump | grep 231 | awk '{print $2}'
exit_group
# cat test.log
type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=80000016 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0
type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c000003e syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0
# ausearch -if test.log -sc exit_group
----
time->Mon Mar 17 13:16:35 2014
type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c000003e syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0
type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=80000016 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0
# 
# vim test.log 
# cat test.log
type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c000003e syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0
type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=80000016 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0
# ausearch -if test.log -sc exit_group
<no matches>

Comment 3 Steve Grubb 2015-10-22 20:41:58 UTC

The way that ausearch works is that if --arch is not given, then it checks the machine that its being run on and uses what it detects to select the arch lookup table. It can only search for one arch at a time.

This is because what its doing is taking the syscall text and turning it into a number. So, if you are running this on an x86_64 machine, then running ausearch -sc io_cancel, is the same as running ausearch -sc 210.

Comment 4 Paul Moore 2016-02-29 20:53:30 UTC

(In reply to Steve Grubb from comment #3)
> The way that ausearch works is that if --arch is not given, then it checks
> the machine that its being run on and uses what it detects to select the
> arch lookup table. It can only search for one arch at a time.
> 
> This is because what its doing is taking the syscall text and turning it
> into a number. So, if you are running this on an x86_64 machine, then
> running ausearch -sc io_cancel, is the same as running ausearch -sc 210.

So do we consider this a bug or no?

Comment 5 Karel Srot 2016-06-16 13:23:14 UTC

My understanding is that it is a bug. Despite the chance of having same timestamp for two records is low, it grows if we consider that logs are collected from multiple systems. But is it fair to say that log messages in comments above are artificial and it would probably require additional testing to confirm whether it happens also for real-life logs.

Comment 6 Steve Grubb 2016-06-16 13:28:20 UTC

Normally logs from multiple systems have node in the audit trail. Node+time+serial is how events are classified.

Comment 7 Ondrej Moriš 2016-06-17 11:24:35 UTC

(In reply to Steve Grubb from comment #6)
> Normally logs from multiple systems have node in the audit trail.
> Node+time+serial is how events are classified.

Let me summarize it - this issue can be hit only if there are at least two event with the same identifier. Such a situation cannot happen on a single system not used for a remote logging. If a remote logging is used, node names are part of identifiers and a probability that two events have the same timestamp _and_ sequence number _and_ node name negligible. 

Therefore after discussion with Karel I am closing this issue as NOTABUG.

Comment 8 Ondrej Moriš 2016-06-17 11:25:12 UTC

(In reply to Ondrej Moriš from comment #7)

> ...
> same timestamp _and_ sequence number _and_ node name IS negligible.

Note You need to log in before you can comment on or make changes to this bug.