-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-8.10, rhel-9.6, rhel-10.0
-
audit-4.0.3-1.el10
-
Yes
-
Moderate
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
Yes
-
Red Hat Enterprise Linux
-
None
-
Bug Fix
-
-
Proposed
-
-
All
-
None
What were you trying to do that didn't work?
ausearch fails to find the following event when using filter matching all its field, whenever some fields are removed from the filter the event is reported correctly:
# cat sample.log type=DAEMON_END msg=audit(1709723032.140:753): op=terminate auid=0 uid=0 ses=8 pid=107086 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success
This even was found on s390x installation of RHEL-8.10 and hence it should hopefully be valid.
Please provide the package NVR for which bug is seen:
audit-3.1.2-1.el8.
How reproducible:
100%
Steps to reproduce
- Create sample log
# echo 'type=DAEMON_END msg=audit(1709723032.140:753): op=terminate auid=0 uid=0 ses=8 pid=107086 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success' >sample.log
- Search for this even using the following filter:
# ausearch -if sample.log -a 753 -m DAEMON_END -ul 0 -ui 0 --session 8 -p 107086 <no matches>
Expected results
# ausearch -if sample.log -a 753 -m DAEMON_END -ul 0 -ui 0 --session 8 -p 107086 ---- time->Wed Mar 6 06:03:52 2024 type=DAEMON_END msg=audit(1709723032.140:753): op=terminate auid=0 uid=0 ses=8 pid=107086 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success
Actual results
# ausearch -if sample.log -a 753 -m DAEMON_END -ul 0 -ui 0 --session 8 -p 107086 <no matches>
Additional Information
When you left out some filter parameters, the even is found, when you add them back but removed some other then the can also be found.
# ausearch -if sample.log -a 753 -m DAEMON_END -ul 0 -ui 0 --session 8 -p 107086 <no matches>
# ausearch -if sample.log -a 753 -m DAEMON_END -ul 0 -ui 0 --session 8 ---- time->Wed Mar 6 06:03:52 2024 type=DAEMON_END msg=audit(1709723032.140:753): op=terminate auid=0 uid=0 ses=8 pid=107086 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success # ausearch -if sample.log -a 753 -m DAEMON_END -ul 0 -ui 0 -p 107086 <no matches> # ausearch -if sample.log -a 753 -m DAEMON_END -ul 0 -p 107086 ---- time->Wed Mar 6 06:03:52 2024 type=DAEMON_END msg=audit(1709723032.140:753): op=terminate auid=0 uid=0 ses=8 pid=107086 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success [root@vm-10-0-185-114 ~]# ausearch -if sample.log -a 753 -m DAEMON_END -ul 0 --session 8 -p 107086 <no matches> # ausearch -if sample.log -a 753 -ul 0 -ui 0 --session 8 -p 107086 <no matches> # ausearch -if sample.log -ul 0 -ui 0 --session 8 -p 107086 <no matches> # ausearch -if sample.log -ui 0 --session 8 -p 107086 <no matches> # ausearch -if sample.log -ui 0 -p 107086 <no matches> # ausearch -if sample.log -p 107086 ---- time->Wed Mar 6 06:03:52 2024 type=DAEMON_END msg=audit(1709723032.140:753): op=terminate auid=0 uid=0 ses=8 pid=107086 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success # ausearch -if sample.log -ui 0 ---- time->Wed Mar 6 06:03:52 2024 type=DAEMON_END msg=audit(1709723032.140:753): op=terminate auid=0 uid=0 ses=8 pid=107086 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success
- links to
-
RHBA-2024:142993
audit bug fix and enhancement update
