Bug 1476406 - Audit package rebase
Summary: Audit package rebase
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit
Version: 7.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: Ondrej Moriš
Mirek Jahoda
Keywords: Rebase
Depends On: 1478516 1478533 1479911 1479914 929234 968303 982154 1101605 1399314 1406887 1448526 1455598 1475998 1478517 1478521 1478528 1478543 1482121 1487352
Blocks: 1490387
TreeView+ depends on / blocked
Reported: 2017-07-28 21:53 UTC by Steve Grubb
Modified: 2018-04-10 12:20 UTC (History)
4 users (show)

_audit_ rebased to version 2.8.1

The _audit_ packages have been upgraded to upstream version 2.8.1, which provides a number of bug fixes and enhancements over the previous version. Notable changes are:

 * Added support for ambient capability fields.
 * The *Audit* daemon now works also on IPv6.
 * Added the default port to the `auditd.conf` file.
 * Fixed the *auvirt* tool to report Access Vector Cache (AVC) messages.
Clone Of:
: 1490387 (view as bug list)
Last Closed: 2018-04-10 12:18:47 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0760 None None None 2018-04-10 12:20 UTC

Description Steve Grubb 2017-07-28 21:53:46 UTC
Description of problem:
The audit package needs to be rebased to pick up various bug fixes, support kernel work, and to add a few new capabilities.

Bugs that are currently fixed and need picked up:
* Auparse python bindings had numerous issues: returns codes not right, add bindings for auparse_nomalize_subject_kind, AUSOURCE_DESCRIPTOR data source was not working (important for audisp plugin use), 
* Auparse had issues with: doing unnecessary euid check, and some adjustments in auparse_normalize
* aureport was missing anom_abend & seccomp events in anomaly report, it was also not reporting the auid in the login report
* Auditd would not start if a domain name could not be verified for mail delivery, this needed to be optional in case the DNS entry had no A record. The umask was not being restored after creating a log file. Auditd was making audispd exit when it was in enriched mode and client machines were in raw mode. Audispd saw malformed records.

Items scheduled to round out the audit system:
* Auparse_normalizer adjustments to support kernel events missing expected fields.
* Ausearch text mode output adjustments for clarity
* Support for new FANOTIFY Auxiliary record
* Fix remote logging protocol bug where they won't reconnect
* Work up individual queues for audisp plugins so one slow plugin can't backup auditd queues.
* Fix both bz filed against auvirt
* Work on non-equality comparisons for ausearch API of auparse.
* Plus bugs reported as people start to use the new audit enhancements for 7.4.

Comment 1 Steve Grubb 2017-10-10 20:01:37 UTC
audit-2.8-1.el7 was built to resolve this issue.

Comment 9 errata-xmlrpc 2018-04-10 12:18:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.