2231089 – ausearch prints a misleading error message when using "--input <file>"

Bug 2231089 - ausearch prints a misleading error message when using "--input <file>"

Summary: ausearch prints a misleading error message when using "--input <file>"

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	audit
Sub Component:
Version:	9.2
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Sergio Correia
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-10 14:30 UTC by Renaud Métrich
Modified:	2023-08-15 10:04 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	linux-audit audit-userspace pull 320	None	open	ausearch: do not use built-in logs when --input is specified	2023-08-15 10:04:15 UTC
Red Hat Issue Tracker	RHELPLAN-165520	None	None	None	2023-08-10 14:31:58 UTC
Red Hat Issue Tracker	SECENGSP-5351	None	None	None	2023-08-10 14:32:04 UTC

Description Renaud Métrich 2023-08-10 14:30:42 UTC

This bug was initially created as a copy of Bug #2231088

I am copying this bug because: 

Also happens on RHEL9 (audit-3.0.7-103.el9.x86_64)

Description of problem:

When processing a file using "ausearch --input <file>" as non-root user, the following gets printed:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ ausearch --input /tmp/audit.log --just-one
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
----
time->Wed Aug  9 13:55:01 2023
type=USER_ACCT msg=audit(1691582101.695:13926): pid=341128 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_sss,pam_permit acct="rmetrich" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Internally strace shows ausearch tries to open /etc/audit/auditd.conf, but of course that's not possible.
Still the file gets processed properly, the message is just annoying and misleading.

Version-Release number of selected component (if applicable):

audit-3.1.1-1.fc38.x86_64

How reproducible:

Always, just open an audit log with proper permissions as a user

Note You need to log in before you can comment on or make changes to this bug.