Hide Forgot
Description of problem: Update the audit package to latest upstream. Feature list will be added later.
I just checked multikey support added in 2.6.6. It looks like either I am misunderstanding details of this new feature or there are some issues: 1. ausearch output ================== Single key, in raw mode, ausearch outputs key as key="singlekey1" while in interpreting mode it is key=singlekey1. Multiple keys, in raw mode it is key=6D756C74696B657933016D756C74696B657934 while in interpreting mode it is key=multikey3 key=multikey4. It that expected? 2. ausearch key filtering ========================= Consider the following cases: a) # auditctl -w file1 -k singlekey1 # auditctl -w file2 -k singlekey2 # rm -f file1 # rm -f file2 This produces two events now, one keyed with singlekey1 and another keyed with singlekey2. Ie. # ausearch -m syscall -sc unlinkat -k singlekey1 # ausearch -m syscall -sc unlinkat -k singlekey2 produces two events with their associated records. Issue A1 -------- # ausearch -m syscall -sc unlinkat -k singlekey This should produce nothing because there is no such key, but it does, it outputs events associated with either singlekey1 or singlekey2. Issue A2 -------- # ausearch -m syscall -sc unlinkat -k singlekey1 -k singlekey2 IMHO more key parameters in ausearch should mean either "AND" or "OR" (and it should better be explicitly stated in man page). Hence I would expected either two events or none. But it outputs only events associated with singlekey1. b) # auditctl -w file1 -k multikey1 -k multikey2 # auditctl -w file2 -k multikey2 -k multikey3 # auditctl -w file3 -k multikey3 -k multikey4 # rm -f file1 # rm -f file2 # rm -f file2 Again, three sets of events are produced, each of them with two keys. Issue B1 -------- # ausearch -m syscall -sc unlinkat -k multikey1 -k multikey2 Again, if multiple -k means AND, command should produce single events with multikey key=multikey1 key=multikey2. If -k means OR, command should produce two events. And it does. Therefore it looks like it works as OR. But then... # ausearch -m syscall -sc unlinkat -k multikey3 -k multikey4 Outputs only one event which indicates that multiple -k works like AND and not OR. Issue B2 -------- # ausearch -m syscall -sc unlinkat -k multikey2 -k multikey3 This should produce either one or three events - first with "key=multikey1 key=multikey2", second wit "key=multikey2 key=multikey3" and the last with "key=multikey3 key=multikey4". But it actually outputs two events - second and third. Issue B3 -------- # ausearch -m syscall -sc unlinkat -k multikey Similarly to (A2) I would expect no events but there are three of them.
Item 1, yes that is expected. You can check the original design with audit-2.3.3 which was the RHEL 7 GA package. This bug is about restoring the old behavior broken during the TTY escaping work. Issue A1, keys match on partial names just like file names. You can pass --word to match the whole word. Issue A2, we can only search on 1 key. The last key typed in wins. Issue B is related to the above. You cannot specify multiple keys to ausearch just like you cannot specify multiple files. The last item is related to partial matching. Add -w to make it a whole word match. I checked the ausearch man page for the -w option and see that keys is missing. I pushed an update to github to clarify that.
audit-2.7.4-1.el7 was built to resolve this issue.
Updated version numbers. Another bz mandated a respin to a newer version that fixed the problem.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2008