Bug 1381601 - audit package update
Summary: audit package update
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit
Version: 7.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: Ondrej Moriš
Mirek Jahoda
Depends On: 1399823
Blocks: 1377248
TreeView+ depends on / blocked
Reported: 2016-10-04 14:06 UTC by Steve Grubb
Modified: 2020-09-10 09:50 UTC (History)
7 users (show)

Fixed In Version: audit-2.7.6-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_audit_ rebased to version 2.7.6 The _audit_ packages have been updated to upstream version 2.7.6, which provides a number of enhancements, new features, and bug fixes, including: * The *auditd* service now automatically adjusts logging directory permissions when it starts up. This helps keep directory permissions correct after performing a package upgrade. * The *ausearch* utility has a new "--format" output option. The "--format text" option presents an event as an English sentence describing what is happening. The "--format csv" option normalizes logs into a subject, object, action, results, and how it occurred in addition to some metadata fields which is output in the Comma Separated Value (CSV) format. This is suitable for pushing event information into a database, spreadsheet, or other analytic programs to view, chart, or analyze audit events. * The *auditctl* utility can now reset the lost event counter in the kernel through the "--reset-lost" command-line option. This makes checking for lost events easier since you can reset the value to zero daily. * *ausearch* and *aureport* now have a "boot" option for the "--start" command-line option to find events since the system booted. * *ausearch* and *aureport* provide a new "--escape" command-line option to better control what kind of escaping is done to audit fields. It currently supports `raw`, `tty`, `shell`, and `shell_quote` escaping. * *auditctl* no longer allows rules with the entry filter. This filter has not been supported since Red Hat Enterprise Linux 5. Prior to this release, on Red Hat Enterprise Linux 6 and 7, *auditctl* moved any entry rule to the exit filter and displayed a warning that the entry filter is deprecated.
Clone Of:
: 1428393 (view as bug list)
Last Closed: 2017-08-01 20:53:38 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:2008 0 normal SHIPPED_LIVE audit bug fix update 2017-08-01 18:34:07 UTC

Description Steve Grubb 2016-10-04 14:06:15 UTC
Description of problem:
Update the audit package to latest upstream. Feature list will be added later.

Comment 9 Ondrej Moriš 2017-03-07 13:54:11 UTC
I just checked multikey support added in 2.6.6. It looks like either I am misunderstanding details of this new feature or there are some issues:

 1. ausearch output
 Single key, in raw mode, ausearch outputs key as key="singlekey1" while 
 in interpreting mode it is key=singlekey1. Multiple keys, in raw mode
 it is key=6D756C74696B657933016D756C74696B657934 while in interpreting 
 mode it is key=multikey3 key=multikey4. It that expected?

 2. ausearch key filtering
 Consider the following cases:
   a) # auditctl -w file1 -k singlekey1
      # auditctl -w file2 -k singlekey2
      # rm -f file1
      # rm -f file2
      This produces two events now, one keyed with singlekey1 and 
      another keyed with singlekey2. Ie. 

      # ausearch -m syscall -sc unlinkat -k singlekey1
      # ausearch -m syscall -sc unlinkat -k singlekey2

      produces two events with their associated records. 

      Issue A1
      # ausearch -m syscall -sc unlinkat -k singlekey

      This should produce nothing because there is no such key, but it
      does, it outputs events associated with either singlekey1 or 

      Issue A2
      # ausearch -m syscall -sc unlinkat -k singlekey1 -k singlekey2

      IMHO more key parameters in ausearch should mean either "AND" or 
      "OR" (and it should better be explicitly stated in man page). 
      Hence I would expected either two events or none. But it outputs 
      only events associated with singlekey1. 

   b) # auditctl -w file1 -k multikey1 -k multikey2
      # auditctl -w file2 -k multikey2 -k multikey3
      # auditctl -w file3 -k multikey3 -k multikey4

      # rm -f file1
      # rm -f file2
      # rm -f file2

      Again, three sets of events are produced, each of them with two

      Issue B1
      # ausearch -m syscall -sc unlinkat -k multikey1 -k multikey2

      Again, if multiple -k means AND, command should produce single
      events with multikey key=multikey1 key=multikey2. If -k means OR,
      command should produce two events. And it does. Therefore it 
      looks like it works as OR. But then...

      # ausearch -m syscall -sc unlinkat -k multikey3 -k multikey4

      Outputs only one event which indicates that multiple -k works like
      AND and not OR.  

      Issue B2
      # ausearch -m syscall -sc unlinkat -k multikey2 -k multikey3

      This should produce either one or three events - first with "key=multikey1 
      key=multikey2", second wit "key=multikey2 key=multikey3" and the
      last with "key=multikey3 key=multikey4". But it actually outputs two events
      -  second and third. 

      Issue B3
      # ausearch -m syscall -sc unlinkat -k multikey
      Similarly to (A2) I would expect no events but there are three of them.

Comment 11 Steve Grubb 2017-03-08 16:10:45 UTC
Item 1, yes that is expected. You can check the original design with audit-2.3.3 which was the RHEL 7 GA package. This bug is about restoring the old behavior broken during the TTY escaping work.

Issue A1, keys match on partial names just like file names. You can pass --word to match the whole word.

Issue A2, we can only search on 1 key. The last key typed in wins.

Issue B is related to the above. You cannot specify multiple keys to ausearch just like you cannot specify multiple files. The last item is related to partial matching. Add -w to make it a whole word match. I checked the ausearch man page for the -w option and see that keys is missing. I pushed an update to github to clarify that.

Comment 13 Steve Grubb 2017-03-28 14:36:38 UTC
audit-2.7.4-1.el7 was built to resolve this issue.

Comment 14 Steve Grubb 2017-05-18 19:19:34 UTC
Updated version numbers. Another bz mandated a respin to a newer version that fixed the problem.

Comment 16 errata-xmlrpc 2017-08-01 20:53:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.