1367703 – "Error - year is 1900" occurred when do auvirt with --start today/yesterday/this-week/this-month/this-year

Bug 1367703 - "Error - year is 1900" occurred when do auvirt with --start today/yesterday/this-week/this-month/this-year

Summary: "Error - year is 1900" occurred when do auvirt with --start today/yesterday/t...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	audit
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Grubb
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-17 09:16 UTC by Yanqiu Zhang
Modified:	2017-08-01 20:53 UTC (History)
CC List:	8 users (show)
Fixed In Version:	audit-2.7.4-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 20:53:38 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:2008	0	normal	SHIPPED_LIVE	audit bug fix update	2017-08-01 18:34:07 UTC

Description Yanqiu Zhang 2016-08-17 09:16:10 UTC

Description of problem:
"Error - year is 1900" occurred when do auvirt with --start today/yesterday/this-week/this-month/this-year

Version-Release number of selected component (if applicable):
audit-2.6.5-3.el7.x86_64
libvirt-2.0.0-5.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Enable and start auditd.service
# systemctl enable auditd
# systemctl start auditd

2. Start a domain
# virsh start testvm

3. Check the audit log with  auvirt command, with option --start recent:
# auvirt --all-events --vm testvm --start recent
res   testvm                       root           Wed Aug 17 15:00                       cgroup          deny          all        
res   testvm                       root           Wed Aug 17 15:00                       cgroup          allow         path    rw    /s3-qe-team/yanqzhan/testvm.qcow2
res   testvm                       root           Wed Aug 17 15:00                       cgroup          allow         major    rw    pty
res   testvm                       root           Wed Aug 17 15:00                       disk            start         /s3-qe-team/yanqzhan/testvm.qcow2
res   testvm                       root           Wed Aug 17 15:00                       net             start         52:54:00:0b:85:fd
res   testvm                       root           Wed Aug 17 15:00                       mem             start         1048576
res   testvm                       root           Wed Aug 17 15:00                       vcpu            start         1
start testvm                       root           Wed Aug 17 15:00            

4. Check the audit log with the auvirt command, with option --start today/yesterday/this-week/this-month/this-year:

# auvirt --all-events --vm testvm --start today
Error - year is 1900
# auvirt --all-events --vm testvm --start yesterday
Error - year is 1900
# auvirt --all-events --vm testvm --start this-week
Error - year is 1900
# auvirt --all-events --vm testvm --start this-month
Error - year is 1900
# auvirt --all-events --vm testvm --start this-year
Error - year is 1900

Actual results:
As Step 4 descripted, "Error - year is 1900" occurred.

Expected results:
"Error - year is 1900" should not occur, auvirt command should work well with options --start today/yesterday/this-week/this-month/this-year option.

Additional info:
1.It works well on rhel7.2 with audit-2.4.1-5.el7.x86_64, libvirt-1.2.17-13.el7.x86_64.

Comment 2 Steve Grubb 2016-08-17 20:28:11 UTC

This appears to be an error in the man page. Looks like it was a copy and paste from the person that submitted the utility. It does not support any text based keywords like 'today'. It only supports numeric dates like 01/02/2000 but adjusted for the locale. This should probably be deferred to 7.4.

Comment 4 Steve Grubb 2017-03-27 20:23:38 UTC

Fixed in upstream commit 2af2c02. After further review, turns out the use of the keywords is supported because the original code links against ausearch-time.c which was a surprise to me. After checking the code against known working example in ausearch-options.c, it was obvious that it needed to pass "00:00:00" for the time setting if time was NULL.

Comment 5 Steve Grubb 2017-03-28 14:34:04 UTC

audit-2.7.4-1.el7 was built to resolve this issue.

Comment 7 Ondrej Moriš 2017-04-28 17:19:08 UTC

Successfully reproduced and verified on all supported architectures.

OLD (audit-2.6.5-3.el7_3.1)
===========================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: recent
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493374812/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1493374212/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'auvirt -ts recent --proof --file sample.log' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.UtELrgDM' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.UtELrgDM' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: today
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493375114/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1493202314/" sample.log' (Expected 0, got 0)
Error - year is 1900
:: [   FAIL   ] :: Command 'auvirt -ts today --proof --file sample.log' (Expected 0, got 1)
:: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.Q8FQsofR' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.Q8FQsofR' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: yesterday
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sed -i "s/<PASS>/1493288716/" sample.log'
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493288716/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1493202316/" sample.log' (Expected 0, got 0)
Error - year is 1900
:: [   FAIL   ] :: Command 'auvirt -ts yesterday --proof --file sample.log' (Expected 0, got 1)
:: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.TXBqXQtL' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.TXBqXQtL' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: this-week
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493375119/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1492770319/" sample.log' (Expected 0, got 0)
Error - year is 1900
:: [   FAIL   ] :: Command 'auvirt -ts this-week --proof --file sample.log' (Expected 0, got 1)
:: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.HhbuUZpG' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.HhbuUZpG' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: this-month
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493375121/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1490696721/" sample.log' (Expected 0, got 0)
Error - year is 1900
:: [   FAIL   ] :: Command 'auvirt -ts this-month --proof --file sample.log' (Expected 0, got 1)
:: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.WBrKBWRp' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.WBrKBWRp' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: this-year
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493375124/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1461839124/" sample.log' (Expected 0, got 0)
Error - year is 1900
:: [   FAIL   ] :: Command 'auvirt -ts this-year --proof --file sample.log' (Expected 0, got 1)
:: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.3hEBio3U' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.3hEBio3U' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)

NEW (audit-2.7.6-1.el7)
=======================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: recent
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493374951/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1493374351/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'auvirt -ts recent --proof --file sample.log' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.pPLC0sxQ' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.pPLC0sxQ' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: recent

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: today
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493375253/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1493202453/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'auvirt -ts today --proof --file sample.log' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.LHJM0O5C' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.LHJM0O5C' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: today

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: yesterday
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493288856/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1493202456/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'auvirt -ts yesterday --proof --file sample.log' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.P1thCypq' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.P1thCypq' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: yesterday

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: this-week
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493375258/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1492770458/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'auvirt -ts this-week --proof --file sample.log' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.5VthFVpM' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.5VthFVpM' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: this-week

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: this-month
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493375261/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1490696861/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'auvirt -ts this-month --proof --file sample.log' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.STphFy6w' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.STphFy6w' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: this-month

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: this-year
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'cp -f sample.log.template sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<PASS>/1493375263/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sed -i "s/<FAIL>/1461839263/" sample.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'auvirt -ts this-year --proof --file sample.log' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.RiTfEPKO' should contain 'pass' 
:: [   PASS   ] :: File '/var/tmp/rlRun_LOG.RiTfEPKO' should not contain 'fail' 
:: [   PASS   ] :: Command 'rm -f sample.log' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: this-year

For more details see TJ#1830812.

Comment 8 errata-xmlrpc 2017-08-01 20:53:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2008

Note You need to log in before you can comment on or make changes to this bug.