Red Hat Bugzilla – Bug 156571
ausearch fails to list kernel events
Last modified: 2007-11-30 17:11:05 EST
Description of problem:
ausearch never seems to return any kernel events.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up a simple audit rule:
# auditctl -a exit,always -S open
AUDIT_LIST: exit always syscall=open
2. Make sure events get logged:
# grep KERNEL /var/log/audit/audit.log | tail -n1
type=KERNEL msg=audit(1114986240.704:11406107): syscall=5 exit=3 a0=bf879c56
a1=8000 a2=0 a3=8000 items=1 pid=13174 loginuid=-1 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 comm=grep exe=/bin/grep
3. Try to query the logs:
# ausearch -m KERNEL
ausearch returns no results.
All KERNEL type events should be listed.
Looking at the source code (src/ausearch-match.c:117) it seems that ausearch
expects a "success=" field in the log entries; however, there is no such field
in my logs.
I also reproduced this with upstream latest audit-0.7.2-1.
The audit system depends on a complete kernel implementation. There are 5 or 6
kernel patches that are going to be added before FC4 is released. This is why it
doesn't work at the moment. Sorry for any inconvenience.
kernel-2.6.11-1.1287_FC4 contains some audit patches, including the 'success'
field in logs. ausearch will now correctly list kernel events.
Thanks for the feedback. I will be releasing 0.7.4 to rawhide in the next few
days that takes care of some more ausearch bugs. I'll consider this problem
fixed. Thanks for the report.