Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1353911
Summary: | audisp writes bogus lines to its plugins | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marius Vollmer <mvollmer> |
Component: | audit | Assignee: | Steve Grubb <sgrubb> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | omoris, plautrba, sgrubb, stefw |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | audit-2.6.5-1.fc24 audit-2.6.5-1.fc23 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-08-01 13:10:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1352611 |
Description
Marius Vollmer
2016-07-08 11:49:52 UTC
Setting "log_format = ENRICHED" in /etc/auditd.conf seems to fix this. It should work with both RAW and ENRICHED. > It should work with both RAW and ENRICHED.
Yes, but it's broken with RAW. Or are you saying that you can't reproduce the bug?
(In reply to Marius Vollmer from comment #3) > > It should work with both RAW and ENRICHED. > > Yes, but it's broken with RAW. Or are you saying that you can't reproduce > the bug? No, no, I just wanted to say that it is still a bug even though it works with ENRICHED. I can reproduce it with 2.6.2-3. (In reply to Ondrej Moriš from comment #4) > No, no, I just wanted to say that it is still a bug even though it works > with ENRICHED. I can reproduce it with 2.6.2-3. Ahh, sorry for not reading carefully enough. Great that you can reproduce it! This is fixed in upstream commit 1335. I will be doing an audit package release today. This should be in rawhide soon after. audit-2.6.4-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-939e4bf1ee audit-2.6.4-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e6aad21df2 This issue was caught by Cockpit integration tests. One can see it occurs here: https://github.com/cockpit-project/cockpit/issues/4678 There is still a problem in audispd. I'll respin the package with a patch when I solve the new problem. audit-2.6.4-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e92dd01965 audit-2.6.4-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b2a627d294 audit-2.6.4-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e92dd01965 audit-2.6.4-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b2a627d294 audit-2.6.4-2.fc24.x86_64 still generates malformed events with "msg=type=AVC" field when log_format is RAW audit-2.6.4-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. (In reply to Petr Lautrbach from comment #15) > audit-2.6.4-2.fc24.x86_64 still generates malformed events with > "msg=type=AVC" field when log_format is RAW I can confirm this. audit-2.6.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Please test with audit-2.6.5-1 which is now in Fedora 24 updates-testing. Any objections to closing this? Setroubleshoot should be working now. Works for me. Successfully verified. # rpm -q audit audit-2.6.5-1.fc24.x86_64 # setenforce 1 # mkdir xxx # cd xxx # cp /usr/bin/ls ls # chcon -t httpd_exec_t ls # strace -e all -s100 -p $(pgrep audispd) >out 2>&1 & [1] 2307 # runcon -u system_u -r system_r -t httpd_t -- ./ls /home/ # cat out strace: Process 2180 attached futex(0x55e33046b124, FUTEX_WAIT_PRIVATE, 51, NULL) = 0 futex(0x55e33046b160, FUTEX_WAKE_PRIVATE, 1) = 0 sendto(5, "<14>Aug 1 08:54:57 audispd: node=intentionally_deleted type=AVC msg=audit(1470056097.645"..., 300, MSG_NOSIGNAL, NULL, 0) = 300 futex(0x55e33046b124, FUTEX_WAIT_PRIVATE, 53, NULL Thanks for reporting the issue and your patience. |