_audit_ rebased to version 2.7.6
The _audit_ packages have been updated to upstream version 2.7.6, which provides a number of enhancements, new features, and bug fixes, including:
* The *auditd* service now automatically adjusts logging directory permissions when it starts up. This helps keep directory permissions correct after performing a package upgrade.
* The *ausearch* utility has a new "--format" output option. The "--format text" option presents an event as an English sentence describing what is happening. The "--format csv" option normalizes logs into a subject, object, action, results, and how it occurred in addition to some metadata fields which is output in the Comma Separated Value (CSV) format. This is suitable for pushing event information into a database, spreadsheet, or other analytic programs to view, chart, or analyze audit events.
* The *auditctl* utility can now reset the lost event counter in the kernel through the "--reset-lost" command-line option. This makes checking for lost events easier since you can reset the value to zero daily.
* *ausearch* and *aureport* now have a "boot" option for the "--start" command-line option to find events since the system booted.
* *ausearch* and *aureport* provide a new "--escape" command-line option to better control what kind of escaping is done to audit fields. It currently supports `raw`, `tty`, `shell`, and `shell_quote` escaping.
* *auditctl* no longer allows rules with the entry filter. This filter has not been supported since Red Hat Enterprise Linux 5. Prior to this release, on Red Hat Enterprise Linux 6 and 7, *auditctl* moved any entry rule to the exit filter and displayed a warning that the entry filter is deprecated.
Description of problem:
Update the audit package to latest upstream. Feature list will be added later.
I just checked multikey support added in 2.6.6. It looks like either I am misunderstanding details of this new feature or there are some issues:
1. ausearch output
Single key, in raw mode, ausearch outputs key as key="singlekey1" while
in interpreting mode it is key=singlekey1. Multiple keys, in raw mode
it is key=6D756C74696B657933016D756C74696B657934 while in interpreting
mode it is key=multikey3 key=multikey4. It that expected?
2. ausearch key filtering
Consider the following cases:
a) # auditctl -w file1 -k singlekey1
# auditctl -w file2 -k singlekey2
# rm -f file1
# rm -f file2
This produces two events now, one keyed with singlekey1 and
another keyed with singlekey2. Ie.
# ausearch -m syscall -sc unlinkat -k singlekey1
# ausearch -m syscall -sc unlinkat -k singlekey2
produces two events with their associated records.
# ausearch -m syscall -sc unlinkat -k singlekey
This should produce nothing because there is no such key, but it
does, it outputs events associated with either singlekey1 or
# ausearch -m syscall -sc unlinkat -k singlekey1 -k singlekey2
IMHO more key parameters in ausearch should mean either "AND" or
"OR" (and it should better be explicitly stated in man page).
Hence I would expected either two events or none. But it outputs
only events associated with singlekey1.
b) # auditctl -w file1 -k multikey1 -k multikey2
# auditctl -w file2 -k multikey2 -k multikey3
# auditctl -w file3 -k multikey3 -k multikey4
# rm -f file1
# rm -f file2
# rm -f file2
Again, three sets of events are produced, each of them with two
# ausearch -m syscall -sc unlinkat -k multikey1 -k multikey2
Again, if multiple -k means AND, command should produce single
events with multikey key=multikey1 key=multikey2. If -k means OR,
command should produce two events. And it does. Therefore it
looks like it works as OR. But then...
# ausearch -m syscall -sc unlinkat -k multikey3 -k multikey4
Outputs only one event which indicates that multiple -k works like
AND and not OR.
# ausearch -m syscall -sc unlinkat -k multikey2 -k multikey3
This should produce either one or three events - first with "key=multikey1
key=multikey2", second wit "key=multikey2 key=multikey3" and the
last with "key=multikey3 key=multikey4". But it actually outputs two events
- second and third.
# ausearch -m syscall -sc unlinkat -k multikey
Similarly to (A2) I would expect no events but there are three of them.
Item 1, yes that is expected. You can check the original design with audit-2.3.3 which was the RHEL 7 GA package. This bug is about restoring the old behavior broken during the TTY escaping work.
Issue A1, keys match on partial names just like file names. You can pass --word to match the whole word.
Issue A2, we can only search on 1 key. The last key typed in wins.
Issue B is related to the above. You cannot specify multiple keys to ausearch just like you cannot specify multiple files. The last item is related to partial matching. Add -w to make it a whole word match. I checked the ausearch man page for the -w option and see that keys is missing. I pushed an update to github to clarify that.
audit-2.7.4-1.el7 was built to resolve this issue.
Updated version numbers. Another bz mandated a respin to a newer version that fixed the problem.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.