Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-152330

ausearch returns "<no matches>" when reading stdin from a pipe

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-10.1, rhel-9.7
    • audit
    • None
    • None
    • Moderate
    • rhel-security-special-projects
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      When executing ausearch through a pipe, the command always returns "<no matches>", despite events should be returned, as shown in the example below:

      # ausearch -ts boot | head -2
----
time->Fri Feb 27 14:30:23 2026

# echo | ausearch -ts boot

      This is likely because ausearch then considers that the log is to be read on stdin, but this is not always true.

      In particular when running ausearch from a cron, stdin is then a pipe as well, as shown in the strace excerpt below, but we don't expect to be the audit log:

      # crontab -l
* * * * * /usr/sbin/ausearch -ts boot

      Result:

      84932 [unconfined_t] 14:38:01.397218 execve("/usr/sbin/ausearch" [bin_t], ["/usr/sbin/ausearch", "-ts", "boot"], ["SHELL=/bin/sh", "PWD=/root", "LOGNAME=root", "XDG_SESSION_TYPE=unspecified", "HOME=/root", "LANG=en_US.UTF-8", "XDG_SESSION_CLASS=background", "USER=root", "SHLVL=0", "XDG_SESSION_ID=9", "XDG_RUNTIME_DIR=/run/user/0", "PATH=/usr/bin:/bin", "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/0/bus", "_=/usr/sbin/ausearch"]) = 0 <0.000180>
 :
84932 [unconfined_t] 14:38:01.409022 read(0<pipe:[93277]> [crond_t], "", 4096) = 0 <0.000006>
84932 [unconfined_t] 14:38:01.409046 close(0<pipe:[93277]> [crond_t]) = 0 <0.000009>
84932 [unconfined_t] 14:38:01.409073 write(2<pipe:[93278]> [crond_t], "<no matches>\n", 13) = 13 <0.000013>
84932 [unconfined_t] 14:38:01.409146 exit_group(1 <unfinished ...>
84932 [unconfined_t] 14:38:01.409161 <... exit_group resumed>) = ?
84932 [unconfined_t] 14:38:01.409519 +++ exited with 1 +++

      What is the impact of this issue to you?

      Executing ausearch from a cron or a script executed through cron shows unexpected output ("no matches").

      Please provide the package NVR for which the bug is seen:

      audit-3.1.5-7.el9
      audit-4.0.3-4.el10

      How reproducible is this bug?

      Always

      Steps to reproduce

      1. Setup a cron reading the audit log 
        # crontab -e
 * * * * * /usr/sbin/ausearch -ts boot > /tmp/ausearch.out

      Expected results

      Empty file after execution.

      Actual results

      Expected content parsing /var/log/audit/audit.log*.

              scorreia@redhat.com Sergio Correia
              rhn-support-rmetrich Renaud Métrich
              Sergio Correia Sergio Correia
              Adam Prikryl Adam Prikryl
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: