Bug 235398 - LSPP: ausearch does not correctly find out of order records
LSPP: ausearch does not correctly find out of order records
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit (Show other bugs)
5.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Steve Grubb
Brian Brock
: OtherQA
Depends On:
Blocks: 391501
  Show dependency treegraph
 
Reported: 2007-04-05 11:48 EDT by Loulwa Salem
Modified: 2011-01-24 16:41 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
the user-space audit tools ausearch and aureport are used to search audit records. They did not take into account that records of one event could be interlaces with records of another event. The logic for these applications has been corrected to separate events into linked lists and better determine the end of events based on the records of just the event in question. Both ausearch and aureport can now handle events with interlaced records.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 05:50:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Log file that provides expected ausearch results (7.53 KB, text/plain)
2007-04-05 11:51 EDT, Loulwa Salem
no flags Details
Log file that does not provide expected ausearch results (7.53 KB, text/plain)
2007-04-05 11:52 EDT, Loulwa Salem
no flags Details
Script to be used until this bug is fixed (488 bytes, application/x-shellscript)
2007-07-25 11:35 EDT, John D. Ramsdell
no flags Details

  None (edit)
Description Loulwa Salem 2007-04-05 11:48:39 EDT
Description of problem:
When record parts are distributed in the log file(ie separated by other 
records that have a different timestamp/number), ausearch does not correcly 
search through them. The first record part will be found, but not the other 
record parts.

Version-Release number of selected component (if applicable):
audit-1.3.1-3

How reproducible:
always

Steps to Reproduce:
1. ausearch -c python -if ausearch-good-audit.log
2. ausearch -c python -if ausearch-bad-audit.log
 (the logs are attached in this bugzilla)
  
Actual results:
1. The first one returns all records.
2. The second one returns only a single record.

Expected results:
All records should be returned from both logs
Comment 1 Loulwa Salem 2007-04-05 11:51:38 EDT
Created attachment 151770 [details]
Log file that provides expected ausearch results
Comment 2 Loulwa Salem 2007-04-05 11:52:24 EDT
Created attachment 151771 [details]
Log file that does not provide expected ausearch results
Comment 3 Steve Grubb 2007-04-05 12:02:21 EDT
This is true and that's the current design since RHEL4. The TODO file in the
audit package documents that its scheduled to be fixed sometime around 1.5.3/4
version in auparse library and then ausearch/report reworked to use the auparse
library. 

It is targeted for RHEL5.1 delivery.
Comment 4 George C. Wilson 2007-04-09 16:41:15 EDT
kweidner will ask the evaluator if this is OK for the LSPP evaluation.
Comment 5 George C. Wilson 2007-04-09 16:42:53 EDT
A workaround might be to sort audit trail and pipe to ausearch.
Comment 6 Linda Knippers 2007-04-09 16:51:54 EDT
I tried the workaround (sorting on the 2nd field) and it seemed to work.
Comment 7 Steve Grubb 2007-04-10 10:27:49 EDT
Removing from LSPP dependency list, but is still scheduled to be fixed in RHEL5.1.
Comment 9 John D. Ramsdell 2007-07-25 11:35:23 EDT
Created attachment 159943 [details]
Script to be used until this bug is fixed

This is a script that performs a stable sort on audit records by serial number,
for use until the bug is fixed.
Comment 11 RHEL Product and Program Management 2007-10-19 16:29:48 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 12 Issue Tracker 2007-10-24 11:43:25 EDT
----- Additional Comments From aoolatun@us.ibm.com  2007-10-24 10:46 EDT
-------
Mr Grubb

I was able to recreate the problem(Steps to Reproduce) on RHEL5.1 on a
machine
with uname -a : Linux ppc64n-lp1.ltc.austin.ibm.com 2.6.18-45.el5 #1 SMP
Tue Sep
4 17:06:15 EDT 2007 ppc64 ppc64 ppc64 GNU/Linux

I also ran the tests as described in the problem description, when i ran
the
first test:
ausearch -c python -if ausearch-good-audit.log

The results I obtained were for 3 types "CWD, AUC_PATH AND SYSCALL" 

I then ran the second test:
ausearch -c python -if ausearch-bad-audit.log

The result I obtained was for only 1 type "SYSCALL"

I was hoping you could please point me in the right direction on what next
to do
to resolve this bug. Thank you. 


This event sent from IssueTracker by jkachuck 
 issue 118126
Comment 13 Steve Grubb 2007-10-24 11:57:29 EDT
What needs to happen is the problem be fixed in the auparse library and then
ausearch re-written to use auparse. The fix in auparse is to create linked lists
of the event linked lists and apply aging rules to them to decide which ones are
complete.
Comment 17 RHEL Product and Program Management 2008-06-02 16:38:14 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 20 Steve Grubb 2008-11-20 16:36:48 EST
Ausearch has finally be fixed in svn to reassembled audit events. The fix will be released in the audit 1.7.10 package.
Comment 23 Steve Grubb 2009-04-22 17:31:25 EDT
audit-1.7.13-1 was built to solve this problem.
Comment 25 Ronald Pacheco 2009-06-05 14:28:55 EDT
Linda,

Can I ask you the obvious, test and report results here?  Thanks!  

Ron
Comment 26 Linda Knippers 2009-06-05 14:40:10 EDT
Ron, 

Loulwa filed the bugzilla so perhaps you should be asking her?

Is the package with the fix is only in rawhide right now?  I don't
have a fedora system to test on at the moment but when I do and if
Loulwa or one of the other contributors to this bug hasn't checked 
it out, I'll give it a try.

-- ljk
Comment 27 Ronald Pacheco 2009-06-05 14:54:57 EDT
Linda,

Apologies for the lack of specificity.  This is slated for the 5.4 alpha.  We would like both IBM and HP to test as we want to ensure that 1) we resolve the reported bug and 2) did not cause regressions in the process.  Thanks in advance for your testing and results. ;-)
Comment 28 Linda Knippers 2009-06-05 15:18:47 EDT
Ok, we'll be looking for the alpha.  I believe that RH is also
running our audit test suite so hopefully that will spot any 
possible regressions.  

-- ljk
Comment 29 Chris Ward 2009-06-14 18:40:39 EDT
HP, IBM, 

Alpha bits are now available. Please test and report back your initial results. Your support here is greatly appreciated.
Comment 30 Chris Ward 2009-06-14 19:13:20 EDT
~~ Attention Partners RHEL 5.4 Partner Alpha Released! ~~

RHEL 5.4 Partner Alpha has been released on partners.redhat.com. There should
be a fix present that addresses this particular request. Please test and report back your results here, at your earliest convenience. Our Public Beta release is just around the corner!

If you encounter any issues, please set the bug back to the ASSIGNED state and
describe the issues you encountered. If you have verified the request functions as expected, please set your Partner ID in the Partner field above to indicate successful test results. Do not flip the bug status to VERIFIED. Further questions can be directed to your Red Hat Partner Manager. Thanks!
Comment 32 Linda Knippers 2009-07-21 17:40:38 EDT
I tested this using Loulwa's original audit logs on the rhel5.4 alpha and it seems to work.  I didn't try generating new, out of order, audit logs but I assume that would work as well.

-- ljk
Comment 34 George C. Wilson 2009-08-05 16:07:24 EDT
Thanks for the testing, Linda! I tried this with RHEL 5.4 Snap 5 on a ppc64 LPAR. The bug appears to be fixed. I think we can finally close it.
Comment 36 Ruediger Landmann 2009-08-31 23:37:11 EDT
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
the user-space audit tools use ausearch to search audit records. Ausearch 
does not contain logic to handle event-linked lists and previously, could 
not find records if they were out of chronological order. The logic to link 
these lists together and evaluate whether the list is complete is now 
available in the auparse library. Ausearch now uses auparse to handle these
lists so that it can find records even when they are out of order.
Comment 37 Steve Grubb 2009-09-01 20:51:13 EDT
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,6 +1 @@
-the user-space audit tools use ausearch to search audit records. Ausearch 
+the user-space audit tools ausearch and aureport are used to search audit records. They did not take into account that records of one event could be interlaces with records of another event. The logic for these applications has been corrected to separate events into linked lists and better determine the end of events based on the records of just the event in question. Both ausearch and aureport can now handle events with interlaced records.-does not contain logic to handle event-linked lists and previously, could 
-not find records if they were out of chronological order. The logic to link 
-these lists together and evaluate whether the list is complete is now 
-available in the auparse library. Ausearch now uses auparse to handle these
-lists so that it can find records even when they are out of order.
Comment 38 errata-xmlrpc 2009-09-02 05:50:15 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1303.html

Note You need to log in before you can comment on or make changes to this bug.