RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1476406 - Audit package rebase
Summary: Audit package rebase
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit
Version: 7.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: Ondrej Moriš
Mirek Jahoda
Depends On: 929234 968303 982154 1101605 1399314 1406887 1448526 1455598 1475998 1478516 1478517 1478521 1478528 1478533 1478543 1479911 1479914 1482121 1487352 1716002 1741182 1966454
Blocks: 1490387
TreeView+ depends on / blocked
Reported: 2017-07-28 21:53 UTC by Steve Grubb
Modified: 2021-06-01 08:27 UTC (History)
4 users (show)

Fixed In Version: audit-2.8.1-2.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_audit_ rebased to version 2.8.1 The _audit_ packages have been upgraded to upstream version 2.8.1, which provides a number of bug fixes and enhancements over the previous version. Notable changes are: * Added support for ambient capability fields. * The *Audit* daemon now works also on IPv6. * Added the default port to the `auditd.conf` file. * Fixed the *auvirt* tool to report Access Vector Cache (AVC) messages.
Clone Of:
: 1490387 (view as bug list)
Last Closed: 2018-04-10 12:18:47 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0760 0 None None None 2018-04-10 12:20:10 UTC

Description Steve Grubb 2017-07-28 21:53:46 UTC
Description of problem:
The audit package needs to be rebased to pick up various bug fixes, support kernel work, and to add a few new capabilities.

Bugs that are currently fixed and need picked up:
* Auparse python bindings had numerous issues: returns codes not right, add bindings for auparse_nomalize_subject_kind, AUSOURCE_DESCRIPTOR data source was not working (important for audisp plugin use), 
* Auparse had issues with: doing unnecessary euid check, and some adjustments in auparse_normalize
* aureport was missing anom_abend & seccomp events in anomaly report, it was also not reporting the auid in the login report
* Auditd would not start if a domain name could not be verified for mail delivery, this needed to be optional in case the DNS entry had no A record. The umask was not being restored after creating a log file. Auditd was making audispd exit when it was in enriched mode and client machines were in raw mode. Audispd saw malformed records.

Items scheduled to round out the audit system:
* Auparse_normalizer adjustments to support kernel events missing expected fields.
* Ausearch text mode output adjustments for clarity
* Support for new FANOTIFY Auxiliary record
* Fix remote logging protocol bug where they won't reconnect
* Work up individual queues for audisp plugins so one slow plugin can't backup auditd queues.
* Fix both bz filed against auvirt
* Work on non-equality comparisons for ausearch API of auparse.
* Plus bugs reported as people start to use the new audit enhancements for 7.4.

Comment 1 Steve Grubb 2017-10-10 20:01:37 UTC
audit-2.8-1.el7 was built to resolve this issue.

Comment 9 errata-xmlrpc 2018-04-10 12:18:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.