Re: Newer versions of audit missing information?
On Monday, February 28, 2022 12:29:54 PM EST Mark Gardner wrote: > Notice no information on what file was copied / removed? > > Even the earlier log entries don't show what file was copied / removed. This might be related to record formats changing. > If I downgrade to audit 3.0-0.17, everything is there. > > Is there another way to monitor a directory so we know which files were > modified / removed? Well, you can always do ausearch -k test --raw | aureport -f I'll take a look and see if I can spot what has changed and how this could be fixed. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Newer versions of audit missing information?
I have setup a watch on specific directories for changes so we can report to our auditors about deployments being done by the proper staff members. So for example -w /root/test -p ra -k test. If I copied / removed a file in that directory, I would get audit results similar to the following: [root@localhost test]# ausearch -k test --format text -ts recent At 14:10:55 02/28/2022 root successfully opened-file /root/test/./hosts using /usr/bin/cp At 14:11:37 02/28/2022 root successfully deleted /root/test/hosts using /usr/bin/rm This worked fine in CentOS 7 and CentOS 8 (not stream). Testing with CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 also worked until I updated the audit package [root@localhost test]# dnf list installed audit Installed Packages audit.x86_64 3.0-0.17.20191104git1c2f876.el8 @anaconda [root@localhost test]# ausearch -k test --format text -ts recent At 14:10:55 02/28/2022 root successfully opened-file /root/test/./hosts using /usr/bin/cp At 14:11:37 02/28/2022 root successfully deleted /root/test/hosts using /usr/bin/rm [root@localhost test]# dnf list audit CentOS Stream 8 - AppStream 7.7 MB/s | 20 MB 00:02 CentOS Stream 8 - BaseOS 9.5 MB/s | 19 MB 00:02 CentOS Stream 8 - Extras 52 kB/s | 18 kB 00:00 Installed Packages audit.x86_64 3.0-0.17.20191104git1c2f876.el8 @anaconda Available Packages audit.x86_64 3.0.7-1.el8 baseos After Upgrade:[root@localhost test]# auditctl -l No rules [root@localhost test]# auditctl -w /root/test -p wa -k test [root@localhost test]# cp /etc/hosts . [root@localhost test]# rm hosts rm: remove regular file 'hosts'? y [root@localhost test]# ausearch -k test --format text -ts recent At 14:10:55 02/28/2022 root successfully opened-file using /usr/bin/cp At 14:11:37 02/28/2022 root successfully deleted using /usr/bin/rm At 14:13:16 02/28/2022 system, acting as root, successfully remove_rule test using /usr/sbin/auditctl At 14:14:11 02/28/2022 root successfully add_rule test using /usr/sbin/auditctl At 14:14:23 02/28/2022 root successfully opened-file using /usr/bin/cp At 14:14:30 02/28/2022 root successfully deleted using /usr/bin/rm [root@localhost test]# Notice no information on what file was copied / removed? Even the earlier log entries don't show what file was copied / removed. If I downgrade to audit 3.0-0.17, everything is there. Is there another way to monitor a directory so we know which files were modified / removed?-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: audit user space build problems
Hello, On Monday, February 21, 2022 4:50:22 PM EST Steve Grubb wrote: > Recently, distributions moved to building against gcc-12 for their latest > OS composes. It's been found in at least 2 distributions that the user > space package is failing to build. It's natural to think this is related > to gcc-12 since it's the obvious change. > > However, the problem is a combination of 2 things: > > 1) SWIG is making buggy code > 2) The kernel changed to using flexible array members > > The issue specifically is with struct audit_rules_data. At the bottom, it > was using buf[0]; But on 5.17, it uses buf[]; It turns out that gcc-12 > is just a coincidence and anything using gcc-12 also has the newest > kernel. > > The options are: > 1) Report this as a SWIG bug and wait > 2) Rewrite the libaudit python bindings to not use SWIG > 3) Ask for buf[0]; to be reinstated in the kernel. > > Of these, I think option 2 is the only viable long term option. It will > take some time to write new python bindings that preserve the SWIG api. > > A short term fix might be for distros to copy the kernel header into the > lib directory and patch it to restore buf[0];, then change libaudit.c to > include "audit.h" instead of . There may be other > approaches. An update on this topic...I have worked around this on rawhide. The temporary fix is kind of ugly and I also have no idea how long this temporary fix will be needed. Rewriting the python bindings will be a big task. Anyways...the first patch can be found here: https://src.fedoraproject.org/rpms/audit/blob/rawhide/f/audit-3.0.8-flex-array-workaround.patch Prior to applying the patch, I do this is the %prep part of the spec file: cp /usr/include/linux/audit.h lib/ then the patch applies cleanly. The only problem is that if you leave it this way, then you wind up with other packages not building because they can't find audit.h. (See bz 2057735 for example) The fix for this is after the audit scripts do the install to the buildroot, you need to undo the change in libaudit.h. That patch can be found here: https://src.fedoraproject.org/rpms/audit/blob/rawhide/f/audit-3.0.8-undo-flex-array.patch After that, rpm grabs all the files and everything works as intended. As I said before, this is an ugly fix...but it works for now. Hope this helps with packaging... -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit