Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1381601 - audit package update
audit package update
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit (Show other bugs)
7.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Steve Grubb
Ondrej Moriš
Mirek Jahoda
:
Depends On: 1399823
Blocks: 1377248
  Show dependency treegraph
 
Reported: 2016-10-04 10:06 EDT by Steve Grubb
Modified: 2017-08-01 16:53 EDT (History)
7 users (show)

See Also:
Fixed In Version: audit-2.7.6-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_audit_ rebased to version 2.7.6 The _audit_ packages have been updated to upstream version 2.7.6, which provides a number of enhancements, new features, and bug fixes, including: * The *auditd* service now automatically adjusts logging directory permissions when it starts up. This helps keep directory permissions correct after performing a package upgrade. * The *ausearch* utility has a new "--format" output option. The "--format text" option presents an event as an English sentence describing what is happening. The "--format csv" option normalizes logs into a subject, object, action, results, and how it occurred in addition to some metadata fields which is output in the Comma Separated Value (CSV) format. This is suitable for pushing event information into a database, spreadsheet, or other analytic programs to view, chart, or analyze audit events. * The *auditctl* utility can now reset the lost event counter in the kernel through the "--reset-lost" command-line option. This makes checking for lost events easier since you can reset the value to zero daily. * *ausearch* and *aureport* now have a "boot" option for the "--start" command-line option to find events since the system booted. * *ausearch* and *aureport* provide a new "--escape" command-line option to better control what kind of escaping is done to audit fields. It currently supports `raw`, `tty`, `shell`, and `shell_quote` escaping. * *auditctl* no longer allows rules with the entry filter. This filter has not been supported since Red Hat Enterprise Linux 5. Prior to this release, on Red Hat Enterprise Linux 6 and 7, *auditctl* moved any entry rule to the exit filter and displayed a warning that the entry filter is deprecated.
Story Points: ---
Clone Of:
: 1428393 (view as bug list)
Environment:
Last Closed: 2017-08-01 16:53:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:2008 normal SHIPPED_LIVE audit bug fix update 2017-08-01 14:34:07 EDT

  None (edit)
Description Steve Grubb 2016-10-04 10:06:15 EDT 
Description of problem:
Update the audit package to latest upstream. Feature list will be added later.
Comment 9 Ondrej Moriš 2017-03-07 08:54:11 EST 
I just checked multikey support added in 2.6.6. It looks like either I am misunderstanding details of this new feature or there are some issues:

 1. ausearch output
 ==================
 Single key, in raw mode, ausearch outputs key as key="singlekey1" while 
 in interpreting mode it is key=singlekey1. Multiple keys, in raw mode
 it is key=6D756C74696B657933016D756C74696B657934 while in interpreting 
 mode it is key=multikey3 key=multikey4. It that expected?

 2. ausearch key filtering
 =========================
 Consider the following cases:
 
   a) # auditctl -w file1 -k singlekey1
      # auditctl -w file2 -k singlekey2
      # rm -f file1
      # rm -f file2
 
      This produces two events now, one keyed with singlekey1 and 
      another keyed with singlekey2. Ie. 

      # ausearch -m syscall -sc unlinkat -k singlekey1
      # ausearch -m syscall -sc unlinkat -k singlekey2

      produces two events with their associated records. 

      Issue A1
      --------
      # ausearch -m syscall -sc unlinkat -k singlekey

      This should produce nothing because there is no such key, but it
      does, it outputs events associated with either singlekey1 or 
      singlekey2.

      Issue A2
      --------
      # ausearch -m syscall -sc unlinkat -k singlekey1 -k singlekey2

      IMHO more key parameters in ausearch should mean either "AND" or 
      "OR" (and it should better be explicitly stated in man page). 
      Hence I would expected either two events or none. But it outputs 
      only events associated with singlekey1. 

   b) # auditctl -w file1 -k multikey1 -k multikey2
      # auditctl -w file2 -k multikey2 -k multikey3
      # auditctl -w file3 -k multikey3 -k multikey4

      # rm -f file1
      # rm -f file2
      # rm -f file2

      Again, three sets of events are produced, each of them with two
      keys. 

      Issue B1
      --------
      # ausearch -m syscall -sc unlinkat -k multikey1 -k multikey2

      Again, if multiple -k means AND, command should produce single
      events with multikey key=multikey1 key=multikey2. If -k means OR,
      command should produce two events. And it does. Therefore it 
      looks like it works as OR. But then...

      # ausearch -m syscall -sc unlinkat -k multikey3 -k multikey4

      Outputs only one event which indicates that multiple -k works like
      AND and not OR.  

      Issue B2
      --------
      # ausearch -m syscall -sc unlinkat -k multikey2 -k multikey3

      This should produce either one or three events - first with "key=multikey1 
      key=multikey2", second wit "key=multikey2 key=multikey3" and the
      last with "key=multikey3 key=multikey4". But it actually outputs two events
      -  second and third. 

      Issue B3
      --------
      # ausearch -m syscall -sc unlinkat -k multikey
 
      Similarly to (A2) I would expect no events but there are three of them.
Comment 11 Steve Grubb 2017-03-08 11:10:45 EST 
Item 1, yes that is expected. You can check the original design with audit-2.3.3 which was the RHEL 7 GA package. This bug is about restoring the old behavior broken during the TTY escaping work.

Issue A1, keys match on partial names just like file names. You can pass --word to match the whole word.

Issue A2, we can only search on 1 key. The last key typed in wins.

Issue B is related to the above. You cannot specify multiple keys to ausearch just like you cannot specify multiple files. The last item is related to partial matching. Add -w to make it a whole word match. I checked the ausearch man page for the -w option and see that keys is missing. I pushed an update to github to clarify that.
Comment 13 Steve Grubb 2017-03-28 10:36:38 EDT 
audit-2.7.4-1.el7 was built to resolve this issue.
Comment 14 Steve Grubb 2017-05-18 15:19:34 EDT 
Updated version numbers. Another bz mandated a respin to a newer version that fixed the problem.
Comment 16 errata-xmlrpc 2017-08-01 16:53:38 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2008
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.