Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1381601

Summary: audit package update
Product: Red Hat Enterprise Linux 7 Reporter: Steve Grubb <sgrubb>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: medium    
Version: 7.4CC: grzegorz.halat, mgrepl, omoris, pmoore, pvrabec, rsawhill, santony
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: audit-2.7.6-1.el7 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_audit_ rebased to version 2.7.6 The _audit_ packages have been updated to upstream version 2.7.6, which provides a number of enhancements, new features, and bug fixes, including: * The *auditd* service now automatically adjusts logging directory permissions when it starts up. This helps keep directory permissions correct after performing a package upgrade. * The *ausearch* utility has a new "--format" output option. The "--format text" option presents an event as an English sentence describing what is happening. The "--format csv" option normalizes logs into a subject, object, action, results, and how it occurred in addition to some metadata fields which is output in the Comma Separated Value (CSV) format. This is suitable for pushing event information into a database, spreadsheet, or other analytic programs to view, chart, or analyze audit events. * The *auditctl* utility can now reset the lost event counter in the kernel through the "--reset-lost" command-line option. This makes checking for lost events easier since you can reset the value to zero daily. * *ausearch* and *aureport* now have a "boot" option for the "--start" command-line option to find events since the system booted. * *ausearch* and *aureport* provide a new "--escape" command-line option to better control what kind of escaping is done to audit fields. It currently supports `raw`, `tty`, `shell`, and `shell_quote` escaping. * *auditctl* no longer allows rules with the entry filter. This filter has not been supported since Red Hat Enterprise Linux 5. Prior to this release, on Red Hat Enterprise Linux 6 and 7, *auditctl* moved any entry rule to the exit filter and displayed a warning that the entry filter is deprecated.
 Story Points: ---
Clone Of:
: 1428393 (view as bug list) Environment:
Last Closed: 2017-08-01 20:53:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1399823    
Bug Blocks: 1377248    

Description Steve Grubb 2016-10-04 14:06:15 UTC 
Description of problem:
Update the audit package to latest upstream. Feature list will be added later.
Comment 9 Ondrej Moriš 2017-03-07 13:54:11 UTC 
I just checked multikey support added in 2.6.6. It looks like either I am misunderstanding details of this new feature or there are some issues:

 1. ausearch output
 ==================
 Single key, in raw mode, ausearch outputs key as key="singlekey1" while 
 in interpreting mode it is key=singlekey1. Multiple keys, in raw mode
 it is key=6D756C74696B657933016D756C74696B657934 while in interpreting 
 mode it is key=multikey3 key=multikey4. It that expected?

 2. ausearch key filtering
 =========================
 Consider the following cases:
 
   a) # auditctl -w file1 -k singlekey1
      # auditctl -w file2 -k singlekey2
      # rm -f file1
      # rm -f file2
 
      This produces two events now, one keyed with singlekey1 and 
      another keyed with singlekey2. Ie. 

      # ausearch -m syscall -sc unlinkat -k singlekey1
      # ausearch -m syscall -sc unlinkat -k singlekey2

      produces two events with their associated records. 

      Issue A1
      --------
      # ausearch -m syscall -sc unlinkat -k singlekey

      This should produce nothing because there is no such key, but it
      does, it outputs events associated with either singlekey1 or 
      singlekey2.

      Issue A2
      --------
      # ausearch -m syscall -sc unlinkat -k singlekey1 -k singlekey2

      IMHO more key parameters in ausearch should mean either "AND" or 
      "OR" (and it should better be explicitly stated in man page). 
      Hence I would expected either two events or none. But it outputs 
      only events associated with singlekey1. 

   b) # auditctl -w file1 -k multikey1 -k multikey2
      # auditctl -w file2 -k multikey2 -k multikey3
      # auditctl -w file3 -k multikey3 -k multikey4

      # rm -f file1
      # rm -f file2
      # rm -f file2

      Again, three sets of events are produced, each of them with two
      keys. 

      Issue B1
      --------
      # ausearch -m syscall -sc unlinkat -k multikey1 -k multikey2

      Again, if multiple -k means AND, command should produce single
      events with multikey key=multikey1 key=multikey2. If -k means OR,
      command should produce two events. And it does. Therefore it 
      looks like it works as OR. But then...

      # ausearch -m syscall -sc unlinkat -k multikey3 -k multikey4

      Outputs only one event which indicates that multiple -k works like
      AND and not OR.  

      Issue B2
      --------
      # ausearch -m syscall -sc unlinkat -k multikey2 -k multikey3

      This should produce either one or three events - first with "key=multikey1 
      key=multikey2", second wit "key=multikey2 key=multikey3" and the
      last with "key=multikey3 key=multikey4". But it actually outputs two events
      -  second and third. 

      Issue B3
      --------
      # ausearch -m syscall -sc unlinkat -k multikey
 
      Similarly to (A2) I would expect no events but there are three of them.
Comment 11 Steve Grubb 2017-03-08 16:10:45 UTC 
Item 1, yes that is expected. You can check the original design with audit-2.3.3 which was the RHEL 7 GA package. This bug is about restoring the old behavior broken during the TTY escaping work.

Issue A1, keys match on partial names just like file names. You can pass --word to match the whole word.

Issue A2, we can only search on 1 key. The last key typed in wins.

Issue B is related to the above. You cannot specify multiple keys to ausearch just like you cannot specify multiple files. The last item is related to partial matching. Add -w to make it a whole word match. I checked the ausearch man page for the -w option and see that keys is missing. I pushed an update to github to clarify that.
Comment 13 Steve Grubb 2017-03-28 14:36:38 UTC 
audit-2.7.4-1.el7 was built to resolve this issue.
Comment 14 Steve Grubb 2017-05-18 19:19:34 UTC 
Updated version numbers. Another bz mandated a respin to a newer version that fixed the problem.
Comment 16 errata-xmlrpc 2017-08-01 20:53:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2008