Description of problem: segfault in ausearch if you're using -k and a logged watch event doesn't have a key logged, b/c you didn't specify -k in all your watches in audit.rules Version-Release number of selected component (if applicable): audit-1.0.15-3.EL4.1 How reproducible: run ausearch on a log file generated under the specified conditions, using -k Steps to Reproduce: 1. put, e.g., -w /etc/pam.d/ in audit.rules and reload auditing 2. exercise pam by ssh-logging-in to the machine, say 3. ausearch -k whatever Actual results: Program received signal SIGSEGV, Segmentation fault. Expected results: no segfault Additional info: [Switching to Thread -1208764736 (LWP 5802)] 0x008d8061 in strstr () from /lib/tls/libc.so.6 (gdb) bt #0 0x008d8061 in strstr () from /lib/tls/libc.so.6 #1 0x0804ede4 in strmatch (needle=0x8b07858 "LOG_", haystack=0x0) at ausearch-match.c:192 #2 0x0804ecf3 in match (l=0xbff611c0) at ausearch-match.c:161 #3 0x0804982c in process_file (filename=0x8b07868 "/root/audit.log") at ausearch.c:169 #4 0x0804950b in main (argc=6, argv=0xbff612f4) at ausearch.c:76 (gdb) up #1 0x0804ede4 in strmatch (needle=0x8b07858 "LOG_", haystack=0x0) at ausearch-match.c:192 192 if (strstr(haystack, needle) == NULL) (gdb) up #2 0x0804ecf3 in match (l=0xbff611c0) at ausearch-match.c:161 161 if (strmatch( (gdb) list 156 slist_first(sptr); 157 sn=slist_get_cur(sptr); 158 do { 159 if (sn->str == NULL) 160 return 0; 161 if (strmatch( 162 event_key, 163 sn->key)) { 164 found = 1; 165 break; (gdb) list - 146 return 0; 147 } 148 if (event_key) { 149 if (l->s.filename == NULL) 150 return 0; 151 else { 152 int found = 0; 153 const snode *sn; 154 slist *sptr = l->s.filename; 155 (gdb) print *sn $10 = {str = 0x8b079f8 "pam.d", key = 0x0, item = 0, hits = 1, next = 0x0} (gdb) print *l $11 = {head = 0x8b09bf0, cur = 0x0, cnt = 5, e = {sec = 1196257933, milli = 891, serial = 352237}, s = {pid = 3711, uid = 0, euid = 0, loginuid = 4294967295, gid = 0, egid = 0, success = 1, arch = 1073741827, syscall = 5, hostname = 0x0, filename = 0x8b079e8, cwd = 0x0, exe = 0x0, terminal = 0x0, comm = 0x0, scontext = 0x0, tcontext = 0x0, avc_result = AVC_UNSET, avc_perm = 0x0, avc_class = 0x0, acct = 0x0}} (gdb) maybe 161c161 < if (strmatch( --- > if (sn->key && strmatch( i figure
Created attachment 271401 [details] a reproducer. run ausearch -k WHATEVER -f on it sorry. this attachment got dropped
This should be easy to fix. Thanks for the reproducer.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
audit-1.0.16-1 was built to solve this problem.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0731.html