Description of problem: When record parts are distributed in the log file(ie separated by other records that have a different timestamp/number), ausearch does not correcly search through them. The first record part will be found, but not the other record parts. Version-Release number of selected component (if applicable): audit-1.3.1-3 How reproducible: always Steps to Reproduce: 1. ausearch -c python -if ausearch-good-audit.log 2. ausearch -c python -if ausearch-bad-audit.log (the logs are attached in this bugzilla) Actual results: 1. The first one returns all records. 2. The second one returns only a single record. Expected results: All records should be returned from both logs
Created attachment 151770 [details] Log file that provides expected ausearch results
Created attachment 151771 [details] Log file that does not provide expected ausearch results
This is true and that's the current design since RHEL4. The TODO file in the audit package documents that its scheduled to be fixed sometime around 1.5.3/4 version in auparse library and then ausearch/report reworked to use the auparse library. It is targeted for RHEL5.1 delivery.
kweidner will ask the evaluator if this is OK for the LSPP evaluation.
A workaround might be to sort audit trail and pipe to ausearch.
I tried the workaround (sorting on the 2nd field) and it seemed to work.
Removing from LSPP dependency list, but is still scheduled to be fixed in RHEL5.1.
Created attachment 159943 [details] Script to be used until this bug is fixed This is a script that performs a stable sort on audit records by serial number, for use until the bug is fixed.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
----- Additional Comments From aoolatun.com 2007-10-24 10:46 EDT ------- Mr Grubb I was able to recreate the problem(Steps to Reproduce) on RHEL5.1 on a machine with uname -a : Linux ppc64n-lp1.ltc.austin.ibm.com 2.6.18-45.el5 #1 SMP Tue Sep 4 17:06:15 EDT 2007 ppc64 ppc64 ppc64 GNU/Linux I also ran the tests as described in the problem description, when i ran the first test: ausearch -c python -if ausearch-good-audit.log The results I obtained were for 3 types "CWD, AUC_PATH AND SYSCALL" I then ran the second test: ausearch -c python -if ausearch-bad-audit.log The result I obtained was for only 1 type "SYSCALL" I was hoping you could please point me in the right direction on what next to do to resolve this bug. Thank you. This event sent from IssueTracker by jkachuck issue 118126
What needs to happen is the problem be fixed in the auparse library and then ausearch re-written to use auparse. The fix in auparse is to create linked lists of the event linked lists and apply aging rules to them to decide which ones are complete.
Ausearch has finally be fixed in svn to reassembled audit events. The fix will be released in the audit 1.7.10 package.
audit-1.7.13-1 was built to solve this problem.
Linda, Can I ask you the obvious, test and report results here? Thanks! Ron
Ron, Loulwa filed the bugzilla so perhaps you should be asking her? Is the package with the fix is only in rawhide right now? I don't have a fedora system to test on at the moment but when I do and if Loulwa or one of the other contributors to this bug hasn't checked it out, I'll give it a try. -- ljk
Linda, Apologies for the lack of specificity. This is slated for the 5.4 alpha. We would like both IBM and HP to test as we want to ensure that 1) we resolve the reported bug and 2) did not cause regressions in the process. Thanks in advance for your testing and results. ;-)
Ok, we'll be looking for the alpha. I believe that RH is also running our audit test suite so hopefully that will spot any possible regressions. -- ljk
HP, IBM, Alpha bits are now available. Please test and report back your initial results. Your support here is greatly appreciated.
~~ Attention Partners RHEL 5.4 Partner Alpha Released! ~~ RHEL 5.4 Partner Alpha has been released on partners.redhat.com. There should be a fix present that addresses this particular request. Please test and report back your results here, at your earliest convenience. Our Public Beta release is just around the corner! If you encounter any issues, please set the bug back to the ASSIGNED state and describe the issues you encountered. If you have verified the request functions as expected, please set your Partner ID in the Partner field above to indicate successful test results. Do not flip the bug status to VERIFIED. Further questions can be directed to your Red Hat Partner Manager. Thanks!
I tested this using Loulwa's original audit logs on the rhel5.4 alpha and it seems to work. I didn't try generating new, out of order, audit logs but I assume that would work as well. -- ljk
Thanks for the testing, Linda! I tried this with RHEL 5.4 Snap 5 on a ppc64 LPAR. The bug appears to be fixed. I think we can finally close it.
Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: the user-space audit tools use ausearch to search audit records. Ausearch does not contain logic to handle event-linked lists and previously, could not find records if they were out of chronological order. The logic to link these lists together and evaluate whether the list is complete is now available in the auparse library. Ausearch now uses auparse to handle these lists so that it can find records even when they are out of order.
Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,6 +1 @@ -the user-space audit tools use ausearch to search audit records. Ausearch +the user-space audit tools ausearch and aureport are used to search audit records. They did not take into account that records of one event could be interlaces with records of another event. The logic for these applications has been corrected to separate events into linked lists and better determine the end of events based on the records of just the event in question. Both ausearch and aureport can now handle events with interlaced records.-does not contain logic to handle event-linked lists and previously, could -not find records if they were out of chronological order. The logic to link -these lists together and evaluate whether the list is complete is now -available in the auparse library. Ausearch now uses auparse to handle these -lists so that it can find records even when they are out of order.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1303.html