Bug 156571 - ausearch fails to list kernel events
ausearch fails to list kernel events
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
Depends On:
  Show dependency treegraph
Reported: 2005-05-01 18:54 EDT by Ziga Mahkovec
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-07 13:15:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ziga Mahkovec 2005-05-01 18:54:30 EDT
Description of problem:
ausearch never seems to return any kernel events.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. Set up a simple audit rule:

# auditctl -a exit,always -S open
AUDIT_LIST: exit always syscall=open
No rules

2. Make sure events get logged:

# grep KERNEL /var/log/audit/audit.log | tail -n1
type=KERNEL msg=audit(1114986240.704:11406107): syscall=5 exit=3 a0=bf879c56
a1=8000 a2=0 a3=8000 items=1 pid=13174 loginuid=-1 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 comm=grep exe=/bin/grep

3. Try to query the logs:

# ausearch -m KERNEL

Actual results:
ausearch returns no results.

Expected results:
All KERNEL type events should be listed.

Additional info:
Looking at the source code (src/ausearch-match.c:117) it seems that ausearch
expects a "success=" field in the log entries; however, there is no such field
in my logs.
I also reproduced this with upstream latest audit-0.7.2-1.
Comment 1 Steve Grubb 2005-05-02 06:51:21 EDT
The audit system depends on a complete kernel implementation. There are 5 or 6
kernel patches that are going to be added before FC4 is released. This is why it
doesn't work at the moment. Sorry for any inconvenience.
Comment 2 Ziga Mahkovec 2005-05-07 10:36:15 EDT
kernel-2.6.11-1.1287_FC4 contains some audit patches, including the 'success'
field in logs.  ausearch will now correctly list kernel events.
Comment 3 Steve Grubb 2005-05-07 13:15:51 EDT
Thanks for the feedback. I will be releasing 0.7.4 to rawhide in the next few
days that takes care of some more ausearch bugs. I'll consider this problem
fixed. Thanks for the report.

Note You need to log in before you can comment on or make changes to this bug.