-
Bug
-
Resolution: Unresolved
-
Minor
-
rhel-9.2.0
-
None
-
Low
-
rhel-sst-security-special-projects
-
ssg_security
-
16
-
None
-
False
-
-
Yes
-
None
-
None
-
None
-
If docs needed, set a value
-
-
All
-
None
This bug was initially created as a copy of Bug #2231088
I am copying this bug because:
Also happens on RHEL9 (audit-3.0.7-103.el9.x86_64)
Description of problem:
When processing a file using "ausearch --input <file>" as non-root user, the following gets printed:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ ausearch --input /tmp/audit.log --just-one
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
time->Wed Aug 9 13:55:01 2023
type=USER_ACCT msg=audit(1691582101.695:13926): pid=341128 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_sss,pam_permit acct="rmetrich" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Internally strace shows ausearch tries to open /etc/audit/auditd.conf, but of course that's not possible.
Still the file gets processed properly, the message is just annoying and misleading.
Version-Release number of selected component (if applicable):
audit-3.1.1-1.fc38.x86_64
How reproducible:
Always, just open an audit log with proper permissions as a user
