Product SiteDocumentation Site

1.11.  audit

1.11.1.  RHBA-2009:0475: bug fix and enhancement update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:0475
Updated audit packages that fix a bug and add an enhancement are now available.
The audit packages contain user-space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel.
These updated audit packages fix the following bug:
  • ausearch was unable to interpret tty audit records. tty records are specially-encoded, and the ausearch program could not decode them, which resulted in their being displayed in encoded form. These updated packages enable ausearch to interpret (i.e. decode correctly) TTY records, thus resolving the issue. ( BZ#497518 )
In addition, these updated audit packages provide the following enhancement:
  • The aureport program was enhanced to add a '--tty' report option. This is a new report that was recently added to audit in order to aid in the review of TTY audit events. ( BZ#497518 )
Users are advised to upgrade to these updated audit packages, which resolve this issue and add this enhancement.

1.11.2.  RHBA-2009:0443: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:0443
Updated audit packages that resolve several issues are now available.
The audit packages contain user-space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel.
These updated packages fix the following bugs in the auditd daemon and one of its utilities:
  • when the log_format parameter was set to "NOLOG" in the auditd.conf configuration file, audit events which were queued in the internal message queue were not cleared after being written to dispatchers. This caused the internal message queue to grow over time, causing an auditd memory leak. With these updated packages the audit events in the internal message queue are properly cleared after being written, thus plugging the memory leak.
  • certain audit rules failed parser checks even though they were specified correctly, which prevented those rules from being loaded into the kernel. With this update, all correctly-specified audit rules pass parser checks and can be loaded into the kernel, thus resolving the problem.
All users of audit are advised to upgrade to these updated packages, which resolve these issues.

1.11.3. RHEA-2009:1303: enhancement

Updated audit packages, which includes TTY audit and remote log aggregation updates among other enhancements, are now available.
The audit packages contain user space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel.
These updated packages upgrade the auditd daemon and its utilities to the newer upstream version 1.7.13 (BZ#483608), which provides the following enhancements and bug fixes over the previous version:
  • the user-space audit tools use ausearch to search audit records. Ausearch does not contain logic to handle event-linked lists and previously, could not find records if they were out of chronological order. The logic to link these lists together and evaluate whether the list is complete is now available in the auparse library. Ausearch now uses auparse to handle these lists so that it can find records even when they are out of order. (BZ#235898)
  • the manual page for ausyscall did not document use of the "--exact" option. A description of "--exact" is now included. (BZ#471383)
  • due to a logic error, the "local_port = any" option for the audisp-remote plugin did not work as described in the manual page. When executed with this option, the plugin would display the error "Value any should only be numbers" and terminate. With the error corrected, the plugin works as documented. (BZ#474466)
  • previously, audisp would read not only its configuration file (in /etc/audisp/plugins.d/) but any files with names simlar to its configuration file found in the same directory, for example, backups of the configuration file. As a result, if a plugin were listed in more than one configuration file, it would be activated multiple times. audisp now reads only its configuration file and therefore avoids activating multiple copies of plugins. (BZ#476189)
  • previously, TTY audit results were reported in ausearch in their raw hexadecimal form. This format was not easily readable by humans, so ausearch now converts the hexadecimal strings and presents them as their corresponding keystrokes. Note that the "--tty" option has now been added to aureport to provide a convenient way of accessing the TTY audit report. (BZ#483086)
  • previously, when setting the output log format to "NOLOG", audit events would be added to the internal message queue but not removed from the queue when written to the dispatchers. The queue would therefore grow to consume available memory. Audit events are now removed from the internal queue to avoid this memory leak. (BZ#487237)
  • due to a logic error, auditctl was not correctly parsing options that included non-numeric characters. For example, the "-F a0!=-1" option would result in an error saying "-F value should be number for a0!=-1". With the error corrected, auditctl parses this rule correctly. (BZ#497542)
Other issues corrected in the rebase include:
  • remote logging is a technology preview item and as such had some bugs. Robustness of this facility was improved.
  • on busy systems, pam had problems communicating with the audit system, which resulted in a timeout and being denied access to the system. We now loop a few times when checking for the event ACK.
  • On biarch system, a warning is emitted if audit rules don't cover both 64 & 32 bit syscalls of the same name.
  • Fix regression where msgtype couldn't be used for a range of types.
  • New aulast program helps analyse login session information.
  • If log rotation fails, auditd now leaves the old log writable.
  • A tcp_wrappers config option was added to auditd for remote logging.
  • Fix problem where negative uids in audit rules on 32 bit systems resulted in the wrong uid and therefore incorrect event logging.
Users of audit are advised to upgrade to these updated packages, which add these enhancements and bug fixes.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.