Red Hat Bugzilla – Bug 436301
aureport uses standard input when run from cron
Last modified: 2008-03-07 12:53:21 EST
+++ This bug was initially created as a clone of Bug #428860 +++ Description of problem: When aureport is run from a file in /etc/cron.hourly or /etc/cron.daily, it uses standard input for input rather than /var/log/audit/audit.log. It finds no log records on standard input. Version-Release number of selected component (if applicable): audit-1.6.2-4.fc8 How reproducible: every time Steps to Reproduce: 1.Create a file in /etc/cron.daily or /etc/cron.hourly to run aureport 2.Wait for cron to run the file 3. Actual results: No data is seen by aureport Expected results: aureport processes the data in /var/log/audit/audit.log Additional info: The following check is done in aureport.c: if (input_is_pipe()) rc = process_stdin(); else if (user_file) rc = process_file(user_file); else rc = process_logs(&config); When a job is run by cron, standard input is set to a pipe so the pipe is used ranther than the files, even if the -if option is given on the aureport command. -- Additional comment from sgrubb@redhat.com on 2008-01-28 18:04 EST -- I added --input-logs to audit-1.6.7 development code. It should be released within a few weeks. -- Additional comment from sgrubb@redhat.com on 2008-01-31 18:43 EST -- audit-1.6.7-1 was built into rawhide and F-8 testing. The new option should solve the problem. Thanks for reporting the bug!
Bug still present in audit-1.6.5-3.el5, and no data is seen by aureport.
Did you use --input-logs in the cron file? I checked it like this run these commands and see if they are different: aureport --start today ausearch --start recent --raw | aureport --start today ausearch --start recent --raw | aureport --start today --input-logs The first should give full report, the second should give very short report, the last should give full report.
There seems to be problem not only with aureport but also with ausearch. It reports no matches when run by cron, while when checked by running the script manually it throws tons of record on me. The aureport reports all zeros. I have a croun.hourly script with something like: date echo "== run1 ==" aureport --start today echo "== run2 ==" ausearch --start today --raw | aureport --start today echo "== run3 ==" ausearch --start today --raw | aureport --start today --input-logs echo "== run4 ==" ausearch -m AVC -sv no echo "== run5 ==" ausearch --start recent echo '== run6 ==' ausearch --start today Attaching sample output log.
Created attachment 297173 [details] log of aureport and ausearch output when run by cron log of aureport and ausearch output when run by cron
Run number 3 is showing a significant report - so I think its working fine. Try adding --input-logs to ausearch. ausearch is also capable of being piped which means it looks at stdin to see if its usable as a data source. I'd try this as a script: date echo "== run1 ==" aureport --start today echo "== run2 ==" aureport --start today --input-logs echo "== run3 ==" ausearch --start recent --raw | aureport --start today echo "== run4 ==" ausearch --start recent --raw --input-logs | aureport --start today echo "== run5 ==" ausearch --start recent --raw --input-logs | aureport --start today --input-logs I would expect the following results if all is working: 1 should be empty, 2 should be full report, 3 should be empty, 4 should be small number of records, 5 should be full report.
I'll add some text to the upstream man pages to help people. Closing as not a bug.