Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1353911 - audisp writes bogus lines to its plugins
Summary: audisp writes bogus lines to its plugins
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1352611
TreeView+ depends on / blocked
 
Reported: 2016-07-08 11:49 UTC by Marius Vollmer
Modified: 2016-08-01 13:10 UTC (History)
4 users (show)

Fixed In Version: audit-2.6.5-1.fc24 audit-2.6.5-1.fc23
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-01 13:10:28 UTC


Attachments (Terms of Use)

Description Marius Vollmer 2016-07-08 11:49:52 UTC
Description of problem:

audisp writes lines to its plugins that auparse will reject.  This causes sedispatch to miss all alerts.


Version-Release number of selected component (if applicable):
audit-2.6.2-1.fc24.x86_64

How reproducible:
Always

Steps to Reproduce:

Listen to what audispd writes.
# strace -e write -s100 -p $(pgrep audispd)

Create some AVCs
# setenforce 1
# mkdir xxx
# cd xxx
# cp /usr/bin/ls ls
# chcon -t httpd_exec_t ls
# runcon -u system_u -r system_r -t httpd_t -- ./ls  /home/*

Actual results:

write(6, "node=localhost.localdomain type=AVC msg=type=AVC msg=audit(1467977545.048:251): avc:  denied  { read"..., 288) = 288
write(6, "node=localhost.localdomain type=AVC msg=type=AVC msg=audit(1467977545.050:252): avc:  denied  { read"..., 291) = 291

Note the "msg=type=AVC" part.  It looks like "type=AVC msg=" is repeated.

Expected results:

write(6, "node=localhost.localdomain type=AVC msg=audit(1467978365.390:231): avc:  denied  { read } for  pid=1"..., 275) = 275
write(6, "node=localhost.localdomain type=AVC msg=audit(1467978365.392:232): avc:  denied  { read } for  pid=1"..., 277) = 277

This is what I get with audit-2.5.2-1.fc24.x86_64.

Comment 1 Marius Vollmer 2016-07-08 12:35:09 UTC
Setting "log_format = ENRICHED" in /etc/auditd.conf seems to fix this.

Comment 2 Ondrej Moriš 2016-07-08 12:39:48 UTC
It should work with both RAW and ENRICHED.

Comment 3 Marius Vollmer 2016-07-08 12:43:03 UTC
> It should work with both RAW and ENRICHED.

Yes, but it's broken with RAW.  Or are you saying that you can't reproduce the bug?

Comment 4 Ondrej Moriš 2016-07-08 13:04:53 UTC
(In reply to Marius Vollmer from comment #3)
> > It should work with both RAW and ENRICHED.
> 
> Yes, but it's broken with RAW.  Or are you saying that you can't reproduce
> the bug?

No, no, I just wanted to say that it is still a bug even though it works with ENRICHED. I can reproduce it with 2.6.2-3.

Comment 5 Marius Vollmer 2016-07-08 13:08:33 UTC
(In reply to Ondrej Moriš from comment #4)
 
> No, no, I just wanted to say that it is still a bug even though it works
> with ENRICHED. I can reproduce it with 2.6.2-3.

Ahh, sorry for not reading carefully enough.  Great that you can reproduce it!

Comment 6 Steve Grubb 2016-07-08 14:40:11 UTC
This is fixed in upstream commit 1335. I will be doing an audit package release today. This should be in rawhide soon after.

Comment 7 Fedora Update System 2016-07-08 16:45:24 UTC
audit-2.6.4-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-939e4bf1ee

Comment 8 Fedora Update System 2016-07-08 16:45:30 UTC
audit-2.6.4-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e6aad21df2

Comment 9 Stef Walter 2016-07-08 19:15:43 UTC
This issue was caught by Cockpit integration tests. One can see it occurs here: https://github.com/cockpit-project/cockpit/issues/4678

Comment 10 Steve Grubb 2016-07-08 20:02:59 UTC
There is still a problem in audispd. I'll respin the package with a patch when I solve the new problem.

Comment 11 Fedora Update System 2016-07-08 22:23:35 UTC
audit-2.6.4-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e92dd01965

Comment 12 Fedora Update System 2016-07-08 22:23:41 UTC
audit-2.6.4-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b2a627d294

Comment 13 Fedora Update System 2016-07-10 03:52:26 UTC
audit-2.6.4-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e92dd01965

Comment 14 Fedora Update System 2016-07-10 15:57:41 UTC
audit-2.6.4-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b2a627d294

Comment 15 Petr Lautrbach 2016-07-12 06:54:48 UTC
audit-2.6.4-2.fc24.x86_64 still generates malformed events with "msg=type=AVC" field when log_format is RAW

Comment 16 Fedora Update System 2016-07-14 03:53:25 UTC
audit-2.6.4-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Marius Vollmer 2016-07-15 08:00:54 UTC
(In reply to Petr Lautrbach from comment #15)
> audit-2.6.4-2.fc24.x86_64 still generates malformed events with
> "msg=type=AVC" field when log_format is RAW

I can confirm this.

Comment 18 Fedora Update System 2016-07-15 10:23:09 UTC
audit-2.6.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Steve Grubb 2016-07-15 13:05:10 UTC
Please test with audit-2.6.5-1 which is now in Fedora 24 updates-testing.

Comment 20 Steve Grubb 2016-08-01 12:19:32 UTC
Any objections to closing this? Setroubleshoot should be working now.

Comment 21 Petr Lautrbach 2016-08-01 12:25:18 UTC
Works for me.

Comment 22 Ondrej Moriš 2016-08-01 12:59:42 UTC
Successfully verified.

# rpm -q audit
audit-2.6.5-1.fc24.x86_64
# setenforce 1
# mkdir xxx
# cd xxx
# cp /usr/bin/ls ls
# chcon -t httpd_exec_t ls
# strace -e all  -s100 -p $(pgrep audispd) >out 2>&1 &
[1] 2307
# runcon -u system_u -r system_r -t httpd_t -- ./ls  /home/
# cat out 
strace: Process 2180 attached
futex(0x55e33046b124, FUTEX_WAIT_PRIVATE, 51, NULL) = 0
futex(0x55e33046b160, FUTEX_WAKE_PRIVATE, 1) = 0
sendto(5, "<14>Aug  1 08:54:57 audispd: node=intentionally_deleted type=AVC msg=audit(1470056097.645"..., 300, MSG_NOSIGNAL, NULL, 0) = 300
futex(0x55e33046b124, FUTEX_WAIT_PRIVATE, 53, NULL

Comment 23 Steve Grubb 2016-08-01 13:10:28 UTC
Thanks for reporting the issue and your patience.


Note You need to log in before you can comment on or make changes to this bug.