- Issued:
- 2009-09-02
- Updated:
- 2009-09-02
RHEA-2009:1303 - Product Enhancement Advisory
Synopsis
audit enhancement update
Type/Severity
Product Enhancement Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated audit packages, which includes TTY audit and remote log aggregation
updates among other enhancements, are now available.
Description
The audit packages contain user space utilities for storing and searching
the audit records generated by the audit subsystem in the Linux 2.6 kernel.
These updated packages upgrade the auditd daemon and its utilities to the
newer upstream version 1.7.13 (BZ#483608), which provides the following
enhancements and bug fixes over the previous version:
- the user-space audit tools use ausearch to search audit records. Ausearch
does not contain logic to handle event-linked lists and previously, could
not find records if they were out of chronological order. The logic to link
these lists together and evaluate whether the list is complete is now
available in the auparse library. Ausearch now uses auparse to handle these
lists so that it can find records even when they are out of order.
(BZ#235398)
- the manual page for ausyscall did not document use of the "--exact" option.
A description of "--exact" is now included. (BZ#471383)
- due to a logic error, the "local_port = any" option for the audisp-remote
plugin did not work as described in the manual page. When executed with this
option, the plugin would display the error "Value any should only be numbers"
and terminate. With the error corrected, the plugin works as documented.
(BZ#474466)
- previously, audisp would read not only its configuration file (in
/etc/audisp/plugins.d/) but any files with names simlar to its configuration
file found in the same directory, for example, backups of the configuration
file. As a result, if a plugin were listed in more than one configuration
file, it would be activated multiple times. audisp now reads only its
configuration file and therefore avoids activating multiple copies of plugins.
(BZ#476189)
- previously, TTY audit results were reported in ausearch in their raw
hexadecimal form. This format was not easily readable by humans, so
ausearch now converts the hexadecimal strings and presents them as their
corresponding keystrokes. Note that the "--tty" option has now been added
to aureport to provide a convenient way of accessing the TTY audit report.
(BZ#483086)
- previously, when setting the output log format to "NOLOG", audit events
would be added to the internal message queue but not removed from the queue
when written to the dispatchers. The queue would therefore grow to consume
available memory. Audit events are now removed from the internal queue to
avoid this memory leak. (BZ#487237)
- due to a logic error, auditctl was not correctly parsing options that
included non-numeric characters. For example, the "-F a0!=-1" option would
result in an error saying "-F value should be number for a0!=-1". With the
error corrected, auditctl parses this rule correctly. (BZ#497542)
Other issues corrected in the rebase include:
- remote logging is a technology preview item and as such had some bugs.
Robustness of this facility was improved.
- on busy systems, pam had problems communicating with the audit
system, which resulted in a timeout and being denied access to the system.
We now loop a few times when checking for the event ACK.
- On biarch system, a warning is emitted if audit rules don't cover both 64
& 32 bit syscalls of the same name.
- Fix regression where msgtype couldn't be used for a range of types.
- New aulast program helps analyse login session information.
- If log rotation fails, auditd now leaves the old log writable.
- A tcp_wrappers config option was added to auditd for remote logging.
- Fix problem where negative uids in audit rules on 32 bit systems resulted
in the wrong uid and therefore incorrect event logging.
Users of audit are advised to upgrade to these updated packages, which add
these enhancements and bug fixes.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 ia64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Fixes
- BZ - 235398 - LSPP: ausearch does not correctly find out of order records
- BZ - 471383 - Missing description of option '--exact' in manual page for ausyscall
- BZ - 476189 - audispd activates the same plugin several times
- BZ - 483086 - RFE: fix tty audit reporting
- BZ - 483608 - audit updates for 5.4
- BZ - 497542 - auditctl parsing error for arg0-3 fields
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 5
SRPM | |
---|---|
audit-1.7.13-2.el5.src.rpm | SHA-256: ea81ee234233df113f313a9da1fb6b3c1855c366308187510df8cc4c96835810 |
x86_64 | |
audispd-plugins-1.7.13-2.el5.x86_64.rpm | SHA-256: 78e75920db9831ad90c98682c5a24d9b6ad1391b9711e398927386bf439658d3 |
audit-1.7.13-2.el5.x86_64.rpm | SHA-256: fc9e794feb2b1636f22616cbf15847a69c45011713ca226e28f68759b141a284 |
audit-libs-1.7.13-2.el5.i386.rpm | SHA-256: 41e0a342cc6b7128037cfd287b04dfc1474a635ce63c4656a00bc37142090a32 |
audit-libs-1.7.13-2.el5.x86_64.rpm | SHA-256: 8d227452f95402c150250632f44a7f6117720bc93abea956bc4ea58eb35aba6f |
audit-libs-devel-1.7.13-2.el5.i386.rpm | SHA-256: 76349251e946ef0e532e0998cfb3640295ae9374f0851591467122ef6c5e04ec |
audit-libs-devel-1.7.13-2.el5.x86_64.rpm | SHA-256: c8156bf3fe38042b88015df4f104605176856483525d0ff39883e56a3a83f6f4 |
audit-libs-python-1.7.13-2.el5.x86_64.rpm | SHA-256: e113d6d9641561854b3a2200663680570c81dbf9d12debdb8437bb3cd5b0d13f |
system-config-audit-0.4.8-9.el5.x86_64.rpm | SHA-256: 92edcc814b4965907d92f58264a29000d89afbaea42f759aeeb9e158111d16aa |
ia64 | |
audispd-plugins-1.7.13-2.el5.ia64.rpm | SHA-256: ae83988a9ac2740baca91cdb6d740d24309285db49836f60c67f2cbe42ecbf25 |
audit-1.7.13-2.el5.ia64.rpm | SHA-256: a09b769c24b599b5fe28e78b8c523858f34136ac2eb4d01ff07de358e54348d0 |
audit-libs-1.7.13-2.el5.i386.rpm | SHA-256: 41e0a342cc6b7128037cfd287b04dfc1474a635ce63c4656a00bc37142090a32 |
audit-libs-1.7.13-2.el5.ia64.rpm | SHA-256: a6d9b711d27978668d4859826045f83315612d08d1ed3cbd40ab37b38cf4d722 |
audit-libs-devel-1.7.13-2.el5.ia64.rpm | SHA-256: 7dab62d4c81375ba1b10840d42be9937bcedcfb37f12f1e960cb8c172a2032bf |
audit-libs-python-1.7.13-2.el5.ia64.rpm | SHA-256: b8c197211f5e0f0ebed27de1e391b849851124628a00faa145b4a2a5998fb045 |
system-config-audit-0.4.8-9.el5.ia64.rpm | SHA-256: 37c0d5a1f870fcd2665e21c022cfbad3b040f673e0cb6828417991dc89e001b1 |
i386 | |
audispd-plugins-1.7.13-2.el5.i386.rpm | SHA-256: 8aedff1b76198a8b1f61b148501534ebdc8d01e00958e81f6dd7e7212451c646 |
audit-1.7.13-2.el5.i386.rpm | SHA-256: 60c4c7187f17da86c6044392483cc5f48fff62f7ec9704df6657d092b8674fae |
audit-libs-1.7.13-2.el5.i386.rpm | SHA-256: 41e0a342cc6b7128037cfd287b04dfc1474a635ce63c4656a00bc37142090a32 |
audit-libs-devel-1.7.13-2.el5.i386.rpm | SHA-256: 76349251e946ef0e532e0998cfb3640295ae9374f0851591467122ef6c5e04ec |
audit-libs-python-1.7.13-2.el5.i386.rpm | SHA-256: 312873f19a0b2a7b89e278273759696fe70443752cc6c50d9168ee930ea2491d |
system-config-audit-0.4.8-9.el5.i386.rpm | SHA-256: 5b808f4c048486377c0d5f711e647cf1e34667f295018c8f4ceebbb371c39827 |
Red Hat Enterprise Linux Workstation 5
SRPM | |
---|---|
audit-1.7.13-2.el5.src.rpm | SHA-256: ea81ee234233df113f313a9da1fb6b3c1855c366308187510df8cc4c96835810 |
x86_64 | |
audispd-plugins-1.7.13-2.el5.x86_64.rpm | SHA-256: 78e75920db9831ad90c98682c5a24d9b6ad1391b9711e398927386bf439658d3 |
audit-1.7.13-2.el5.x86_64.rpm | SHA-256: fc9e794feb2b1636f22616cbf15847a69c45011713ca226e28f68759b141a284 |
audit-libs-1.7.13-2.el5.i386.rpm | SHA-256: 41e0a342cc6b7128037cfd287b04dfc1474a635ce63c4656a00bc37142090a32 |
audit-libs-1.7.13-2.el5.x86_64.rpm | SHA-256: 8d227452f95402c150250632f44a7f6117720bc93abea956bc4ea58eb35aba6f |
audit-libs-devel-1.7.13-2.el5.i386.rpm | SHA-256: 76349251e946ef0e532e0998cfb3640295ae9374f0851591467122ef6c5e04ec |
audit-libs-devel-1.7.13-2.el5.x86_64.rpm | SHA-256: c8156bf3fe38042b88015df4f104605176856483525d0ff39883e56a3a83f6f4 |
audit-libs-python-1.7.13-2.el5.x86_64.rpm | SHA-256: e113d6d9641561854b3a2200663680570c81dbf9d12debdb8437bb3cd5b0d13f |
system-config-audit-0.4.8-9.el5.x86_64.rpm | SHA-256: 92edcc814b4965907d92f58264a29000d89afbaea42f759aeeb9e158111d16aa |
i386 | |
audispd-plugins-1.7.13-2.el5.i386.rpm | SHA-256: 8aedff1b76198a8b1f61b148501534ebdc8d01e00958e81f6dd7e7212451c646 |
audit-1.7.13-2.el5.i386.rpm | SHA-256: 60c4c7187f17da86c6044392483cc5f48fff62f7ec9704df6657d092b8674fae |
audit-libs-1.7.13-2.el5.i386.rpm | SHA-256: 41e0a342cc6b7128037cfd287b04dfc1474a635ce63c4656a00bc37142090a32 |
audit-libs-devel-1.7.13-2.el5.i386.rpm | SHA-256: 76349251e946ef0e532e0998cfb3640295ae9374f0851591467122ef6c5e04ec |
audit-libs-python-1.7.13-2.el5.i386.rpm | SHA-256: 312873f19a0b2a7b89e278273759696fe70443752cc6c50d9168ee930ea2491d |
system-config-audit-0.4.8-9.el5.i386.rpm | SHA-256: 5b808f4c048486377c0d5f711e647cf1e34667f295018c8f4ceebbb371c39827 |
Red Hat Enterprise Linux Desktop 5
SRPM | |
---|---|
audit-1.7.13-2.el5.src.rpm | SHA-256: ea81ee234233df113f313a9da1fb6b3c1855c366308187510df8cc4c96835810 |
x86_64 | |
audispd-plugins-1.7.13-2.el5.x86_64.rpm | SHA-256: 78e75920db9831ad90c98682c5a24d9b6ad1391b9711e398927386bf439658d3 |
audit-1.7.13-2.el5.x86_64.rpm | SHA-256: fc9e794feb2b1636f22616cbf15847a69c45011713ca226e28f68759b141a284 |
audit-libs-1.7.13-2.el5.i386.rpm | SHA-256: 41e0a342cc6b7128037cfd287b04dfc1474a635ce63c4656a00bc37142090a32 |
audit-libs-1.7.13-2.el5.x86_64.rpm | SHA-256: 8d227452f95402c150250632f44a7f6117720bc93abea956bc4ea58eb35aba6f |
audit-libs-python-1.7.13-2.el5.x86_64.rpm | SHA-256: e113d6d9641561854b3a2200663680570c81dbf9d12debdb8437bb3cd5b0d13f |
system-config-audit-0.4.8-9.el5.x86_64.rpm | SHA-256: 92edcc814b4965907d92f58264a29000d89afbaea42f759aeeb9e158111d16aa |
i386 | |
audispd-plugins-1.7.13-2.el5.i386.rpm | SHA-256: 8aedff1b76198a8b1f61b148501534ebdc8d01e00958e81f6dd7e7212451c646 |
audit-1.7.13-2.el5.i386.rpm | SHA-256: 60c4c7187f17da86c6044392483cc5f48fff62f7ec9704df6657d092b8674fae |
audit-libs-1.7.13-2.el5.i386.rpm | SHA-256: 41e0a342cc6b7128037cfd287b04dfc1474a635ce63c4656a00bc37142090a32 |
audit-libs-python-1.7.13-2.el5.i386.rpm | SHA-256: 312873f19a0b2a7b89e278273759696fe70443752cc6c50d9168ee930ea2491d |
system-config-audit-0.4.8-9.el5.i386.rpm | SHA-256: 5b808f4c048486377c0d5f711e647cf1e34667f295018c8f4ceebbb371c39827 |
Red Hat Enterprise Linux for IBM z Systems 5
SRPM | |
---|---|
audit-1.7.13-2.el5.src.rpm | SHA-256: ea81ee234233df113f313a9da1fb6b3c1855c366308187510df8cc4c96835810 |
s390x | |
audispd-plugins-1.7.13-2.el5.s390x.rpm | SHA-256: 235d62e4b188c13652cc056d034f416f9dc623d443ee8fcdede88e514f0bc7d4 |
audit-1.7.13-2.el5.s390x.rpm | SHA-256: bddb4192d6d193441af63ece65c953147bcb520eb323ab59fb4a173309bc39b6 |
audit-libs-1.7.13-2.el5.s390.rpm | SHA-256: 7777a5437efe4c2353952276b1bbfab7b8afaa9aa48359230943620c21907d8b |
audit-libs-1.7.13-2.el5.s390x.rpm | SHA-256: 9ebbc73b57ee78716b8a08d9a9d36b5639d0e64b606d5cf536aa74b73f1d7f5e |
audit-libs-devel-1.7.13-2.el5.s390.rpm | SHA-256: 7db0f4c90129a98508520cd3abc2e52f696f9645108a7b79354c9291e40b6c26 |
audit-libs-devel-1.7.13-2.el5.s390x.rpm | SHA-256: 983948203509d1c99b8cf025eb141e59da7b5f62c73b9c5a28f3f65005e538c6 |
audit-libs-python-1.7.13-2.el5.s390x.rpm | SHA-256: 2967ebf4f3d8f473589ad25578b4ab973ab9237238391aaaf1653d84d72ef7fe |
system-config-audit-0.4.8-9.el5.s390x.rpm | SHA-256: e1677b877a7831929d939974258dd20a2d95157227a94f08b53fb2f69835dee0 |
Red Hat Enterprise Linux for Power, big endian 5
SRPM | |
---|---|
audit-1.7.13-2.el5.src.rpm | SHA-256: ea81ee234233df113f313a9da1fb6b3c1855c366308187510df8cc4c96835810 |
ppc | |
audispd-plugins-1.7.13-2.el5.ppc.rpm | SHA-256: 8c19d6bf9988a589456f4d3c5cf2f278f858776f34987aad0680660e51d0bd36 |
audit-1.7.13-2.el5.ppc.rpm | SHA-256: c05193c00d1f32165c4db609ab4972606aa72b665039f145305a19c654fdd3a9 |
audit-libs-1.7.13-2.el5.ppc.rpm | SHA-256: 2532bc34eeb2b69cb9dd483aec20fa39b9626c6e5505be688faa4f42a1b62acc |
audit-libs-1.7.13-2.el5.ppc64.rpm | SHA-256: fd6f9000549ec6e8b56efd0a53be2d28f7c6af56f8cd0e51a8a215f0aecf8d74 |
audit-libs-devel-1.7.13-2.el5.ppc.rpm | SHA-256: f3ec4cf3aa7de2980eeafe7c6e1f952f08a787ce75a5780026401bab1eaace02 |
audit-libs-devel-1.7.13-2.el5.ppc64.rpm | SHA-256: 8669afc26a9489bd4282cd1b952b944283def2da0ea4fa34216146430cad99af |
audit-libs-python-1.7.13-2.el5.ppc.rpm | SHA-256: c439715bc3e164fb40a6da6d369e2ced955fb24db2eefcc36202314b2c36ffe0 |
system-config-audit-0.4.8-9.el5.ppc.rpm | SHA-256: 1ad9c0674b3ecae27c9c51ad2330badb51151c203d448b358d0934e6839c7341 |
Red Hat Enterprise Linux Server from RHUI 5
SRPM | |
---|---|
audit-1.7.13-2.el5.src.rpm | SHA-256: ea81ee234233df113f313a9da1fb6b3c1855c366308187510df8cc4c96835810 |
x86_64 | |
audispd-plugins-1.7.13-2.el5.x86_64.rpm | SHA-256: 78e75920db9831ad90c98682c5a24d9b6ad1391b9711e398927386bf439658d3 |
audit-1.7.13-2.el5.x86_64.rpm | SHA-256: fc9e794feb2b1636f22616cbf15847a69c45011713ca226e28f68759b141a284 |
audit-libs-1.7.13-2.el5.i386.rpm | SHA-256: 41e0a342cc6b7128037cfd287b04dfc1474a635ce63c4656a00bc37142090a32 |
audit-libs-1.7.13-2.el5.x86_64.rpm | SHA-256: 8d227452f95402c150250632f44a7f6117720bc93abea956bc4ea58eb35aba6f |
audit-libs-devel-1.7.13-2.el5.i386.rpm | SHA-256: 76349251e946ef0e532e0998cfb3640295ae9374f0851591467122ef6c5e04ec |
audit-libs-devel-1.7.13-2.el5.x86_64.rpm | SHA-256: c8156bf3fe38042b88015df4f104605176856483525d0ff39883e56a3a83f6f4 |
audit-libs-python-1.7.13-2.el5.x86_64.rpm | SHA-256: e113d6d9641561854b3a2200663680570c81dbf9d12debdb8437bb3cd5b0d13f |
system-config-audit-0.4.8-9.el5.x86_64.rpm | SHA-256: 92edcc814b4965907d92f58264a29000d89afbaea42f759aeeb9e158111d16aa |
i386 | |
audispd-plugins-1.7.13-2.el5.i386.rpm | SHA-256: 8aedff1b76198a8b1f61b148501534ebdc8d01e00958e81f6dd7e7212451c646 |
audit-1.7.13-2.el5.i386.rpm | SHA-256: 60c4c7187f17da86c6044392483cc5f48fff62f7ec9704df6657d092b8674fae |
audit-libs-1.7.13-2.el5.i386.rpm | SHA-256: 41e0a342cc6b7128037cfd287b04dfc1474a635ce63c4656a00bc37142090a32 |
audit-libs-devel-1.7.13-2.el5.i386.rpm | SHA-256: 76349251e946ef0e532e0998cfb3640295ae9374f0851591467122ef6c5e04ec |
audit-libs-python-1.7.13-2.el5.i386.rpm | SHA-256: 312873f19a0b2a7b89e278273759696fe70443752cc6c50d9168ee930ea2491d |
system-config-audit-0.4.8-9.el5.i386.rpm | SHA-256: 5b808f4c048486377c0d5f711e647cf1e34667f295018c8f4ceebbb371c39827 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.