Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1353911

Summary:	audisp writes bogus lines to its plugins
Product:	[Fedora] Fedora	Reporter:	Marius Vollmer <mvollmer>
Component:	audit	Assignee:	Steve Grubb <sgrubb>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	24	CC:	omoris, plautrba, sgrubb, stefw
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	audit-2.6.5-1.fc24 audit-2.6.5-1.fc23	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-08-01 13:10:28 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1352611

Description Marius Vollmer 2016-07-08 11:49:52 UTC

Description of problem:

audisp writes lines to its plugins that auparse will reject.  This causes sedispatch to miss all alerts.


Version-Release number of selected component (if applicable):
audit-2.6.2-1.fc24.x86_64

How reproducible:
Always

Steps to Reproduce:

Listen to what audispd writes.
# strace -e write -s100 -p $(pgrep audispd)

Create some AVCs
# setenforce 1
# mkdir xxx
# cd xxx
# cp /usr/bin/ls ls
# chcon -t httpd_exec_t ls
# runcon -u system_u -r system_r -t httpd_t -- ./ls  /home/*

Actual results:

write(6, "node=localhost.localdomain type=AVC msg=type=AVC msg=audit(1467977545.048:251): avc:  denied  { read"..., 288) = 288
write(6, "node=localhost.localdomain type=AVC msg=type=AVC msg=audit(1467977545.050:252): avc:  denied  { read"..., 291) = 291

Note the "msg=type=AVC" part.  It looks like "type=AVC msg=" is repeated.

Expected results:

write(6, "node=localhost.localdomain type=AVC msg=audit(1467978365.390:231): avc:  denied  { read } for  pid=1"..., 275) = 275
write(6, "node=localhost.localdomain type=AVC msg=audit(1467978365.392:232): avc:  denied  { read } for  pid=1"..., 277) = 277

This is what I get with audit-2.5.2-1.fc24.x86_64.

Comment 1 Marius Vollmer 2016-07-08 12:35:09 UTC

Setting "log_format = ENRICHED" in /etc/auditd.conf seems to fix this.

Comment 2 Ondrej Moriš 2016-07-08 12:39:48 UTC

It should work with both RAW and ENRICHED.

Comment 3 Marius Vollmer 2016-07-08 12:43:03 UTC

> It should work with both RAW and ENRICHED.

Yes, but it's broken with RAW.  Or are you saying that you can't reproduce the bug?

Comment 4 Ondrej Moriš 2016-07-08 13:04:53 UTC

(In reply to Marius Vollmer from comment #3)
> > It should work with both RAW and ENRICHED.
> 
> Yes, but it's broken with RAW.  Or are you saying that you can't reproduce
> the bug?

No, no, I just wanted to say that it is still a bug even though it works with ENRICHED. I can reproduce it with 2.6.2-3.

Comment 5 Marius Vollmer 2016-07-08 13:08:33 UTC

(In reply to Ondrej Moriš from comment #4)
 
> No, no, I just wanted to say that it is still a bug even though it works
> with ENRICHED. I can reproduce it with 2.6.2-3.

Ahh, sorry for not reading carefully enough.  Great that you can reproduce it!

Comment 6 Steve Grubb 2016-07-08 14:40:11 UTC

This is fixed in upstream commit 1335. I will be doing an audit package release today. This should be in rawhide soon after.

Comment 7 Fedora Update System 2016-07-08 16:45:24 UTC

audit-2.6.4-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-939e4bf1ee

Comment 8 Fedora Update System 2016-07-08 16:45:30 UTC

audit-2.6.4-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e6aad21df2

Comment 9 Stef Walter 2016-07-08 19:15:43 UTC

This issue was caught by Cockpit integration tests. One can see it occurs here: https://github.com/cockpit-project/cockpit/issues/4678

Comment 10 Steve Grubb 2016-07-08 20:02:59 UTC

There is still a problem in audispd. I'll respin the package with a patch when I solve the new problem.

Comment 11 Fedora Update System 2016-07-08 22:23:35 UTC

audit-2.6.4-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e92dd01965

Comment 12 Fedora Update System 2016-07-08 22:23:41 UTC

audit-2.6.4-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b2a627d294

Comment 13 Fedora Update System 2016-07-10 03:52:26 UTC

audit-2.6.4-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e92dd01965

Comment 14 Fedora Update System 2016-07-10 15:57:41 UTC

audit-2.6.4-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b2a627d294

Comment 15 Petr Lautrbach 2016-07-12 06:54:48 UTC

audit-2.6.4-2.fc24.x86_64 still generates malformed events with "msg=type=AVC" field when log_format is RAW

Comment 16 Fedora Update System 2016-07-14 03:53:25 UTC

audit-2.6.4-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Marius Vollmer 2016-07-15 08:00:54 UTC

(In reply to Petr Lautrbach from comment #15)
> audit-2.6.4-2.fc24.x86_64 still generates malformed events with
> "msg=type=AVC" field when log_format is RAW

I can confirm this.

Comment 18 Fedora Update System 2016-07-15 10:23:09 UTC

audit-2.6.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Steve Grubb 2016-07-15 13:05:10 UTC

Please test with audit-2.6.5-1 which is now in Fedora 24 updates-testing.

Comment 20 Steve Grubb 2016-08-01 12:19:32 UTC

Any objections to closing this? Setroubleshoot should be working now.

Comment 21 Petr Lautrbach 2016-08-01 12:25:18 UTC

Works for me.

Comment 22 Ondrej Moriš 2016-08-01 12:59:42 UTC

Successfully verified.

# rpm -q audit
audit-2.6.5-1.fc24.x86_64
# setenforce 1
# mkdir xxx
# cd xxx
# cp /usr/bin/ls ls
# chcon -t httpd_exec_t ls
# strace -e all  -s100 -p $(pgrep audispd) >out 2>&1 &
[1] 2307
# runcon -u system_u -r system_r -t httpd_t -- ./ls  /home/
# cat out 
strace: Process 2180 attached
futex(0x55e33046b124, FUTEX_WAIT_PRIVATE, 51, NULL) = 0
futex(0x55e33046b160, FUTEX_WAKE_PRIVATE, 1) = 0
sendto(5, "<14>Aug  1 08:54:57 audispd: node=intentionally_deleted type=AVC msg=audit(1470056097.645"..., 300, MSG_NOSIGNAL, NULL, 0) = 300
futex(0x55e33046b124, FUTEX_WAIT_PRIVATE, 53, NULL

Comment 23 Steve Grubb 2016-08-01 13:10:28 UTC

Thanks for reporting the issue and your patience.