Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 156571 - ausearch fails to list kernel events
Summary: ausearch fails to list kernel events
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Steve Grubb
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-05-01 22:54 UTC by Ziga Mahkovec
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-05-07 17:15:51 UTC

Attachments (Terms of Use)

Description Ziga Mahkovec 2005-05-01 22:54:30 UTC
Description of problem:
ausearch never seems to return any kernel events.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. Set up a simple audit rule:

# auditctl -a exit,always -S open
AUDIT_LIST: exit always syscall=open
No rules

2. Make sure events get logged:

# grep KERNEL /var/log/audit/audit.log | tail -n1
type=KERNEL msg=audit(1114986240.704:11406107): syscall=5 exit=3 a0=bf879c56
a1=8000 a2=0 a3=8000 items=1 pid=13174 loginuid=-1 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 comm=grep exe=/bin/grep

3. Try to query the logs:

# ausearch -m KERNEL

Actual results:
ausearch returns no results.

Expected results:
All KERNEL type events should be listed.

Additional info:
Looking at the source code (src/ausearch-match.c:117) it seems that ausearch
expects a "success=" field in the log entries; however, there is no such field
in my logs.
I also reproduced this with upstream latest audit-0.7.2-1.

Comment 1 Steve Grubb 2005-05-02 10:51:21 UTC
The audit system depends on a complete kernel implementation. There are 5 or 6
kernel patches that are going to be added before FC4 is released. This is why it
doesn't work at the moment. Sorry for any inconvenience.

Comment 2 Ziga Mahkovec 2005-05-07 14:36:15 UTC
kernel-2.6.11-1.1287_FC4 contains some audit patches, including the 'success'
field in logs.  ausearch will now correctly list kernel events.

Comment 3 Steve Grubb 2005-05-07 17:15:51 UTC
Thanks for the feedback. I will be releasing 0.7.4 to rawhide in the next few
days that takes care of some more ausearch bugs. I'll consider this problem
fixed. Thanks for the report.

Note You need to log in before you can comment on or make changes to this bug.