Skip to navigation

Enhancement Advisory audit enhancement update

Advisory: RHEA-2009:1303-1
Type: Product Enhancement Advisory
Severity: N/A
Issued on: 2009-09-02
Last updated on: 2009-09-02
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Details

Updated audit packages, which includes TTY audit and remote log aggregation
updates among other enhancements, are now available.

The audit packages contain user space utilities for storing and searching
the audit records generated by the audit subsystem in the Linux 2.6 kernel.

These updated packages upgrade the auditd daemon and its utilities to the
newer upstream version 1.7.13 (BZ#483608), which provides the following
enhancements and bug fixes over the previous version:

* the user-space audit tools use ausearch to search audit records. Ausearch
does not contain logic to handle event-linked lists and previously, could
not find records if they were out of chronological order. The logic to link
these lists together and evaluate whether the list is complete is now
available in the auparse library. Ausearch now uses auparse to handle these
lists so that it can find records even when they are out of order.
(BZ#235398)

* the manual page for ausyscall did not document use of the "--exact" option.
A description of "--exact" is now included. (BZ#471383)

* due to a logic error, the "local_port = any" option for the audisp-remote
plugin did not work as described in the manual page. When executed with this
option, the plugin would display the error "Value any should only be numbers"
and terminate. With the error corrected, the plugin works as documented.
(BZ#474466)

* previously, audisp would read not only its configuration file (in
/etc/audisp/plugins.d/) but any files with names simlar to its configuration
file found in the same directory, for example, backups of the configuration
file. As a result, if a plugin were listed in more than one configuration
file, it would be activated multiple times. audisp now reads only its
configuration file and therefore avoids activating multiple copies of plugins.
(BZ#476189)

* previously, TTY audit results were reported in ausearch in their raw
hexadecimal form. This format was not easily readable by humans, so
ausearch now converts the hexadecimal strings and presents them as their
corresponding keystrokes. Note that the "--tty" option has now been added
to aureport to provide a convenient way of accessing the TTY audit report.
(BZ#483086)

* previously, when setting the output log format to "NOLOG", audit events
would be added to the internal message queue but not removed from the queue
when written to the dispatchers. The queue would therefore grow to consume
available memory. Audit events are now removed from the internal queue to
avoid this memory leak. (BZ#487237)

* due to a logic error, auditctl was not correctly parsing options that
included non-numeric characters. For example, the "-F a0!=-1" option would
result in an error saying "-F value should be number for a0!=-1". With the
error corrected, auditctl parses this rule correctly. (BZ#497542)

Other issues corrected in the rebase include:

* remote logging is a technology preview item and as such had some bugs.
Robustness of this facility was improved.

* on busy systems, pam had problems communicating with the audit
system, which resulted in a timeout and being denied access to the system.
We now loop a few times when checking for the event ACK.

* On biarch system, a warning is emitted if audit rules don't cover both 64
& 32 bit syscalls of the same name.

* Fix regression where msgtype couldn't be used for a range of types.

* New aulast program helps analyse login session information.

* If log rotation fails, auditd now leaves the old log writable.

* A tcp_wrappers config option was added to auditd for remote logging.

* Fix problem where negative uids in audit rules on 32 bit systems resulted
in the wrong uid and therefore incorrect event logging.

Users of audit are advised to upgrade to these updated packages, which add
these enhancements and bug fixes.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
audit-1.7.13-2.el5.src.rpm
File outdated by:  RHBA-2012:0265
    MD5: 8b055881646ecbd400a3fa14459849ae
 
IA-32:
audit-libs-devel-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: f9b954ba261d4b639a93eb977302a7ca
 
x86_64:
audit-libs-devel-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: f9b954ba261d4b639a93eb977302a7ca
audit-libs-devel-1.7.13-2.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 1cbed61feed1814811c4138cafccad53
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
audit-1.7.13-2.el5.src.rpm
File outdated by:  RHBA-2012:0265
    MD5: 8b055881646ecbd400a3fa14459849ae
 
IA-32:
audispd-plugins-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 4a2f57df78751f8d419c313ca6482958
audit-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 9e9bd53afee4bdf47a1995d6af89e612
audit-libs-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 5528ee9c040c490af3f395d47ace6682
audit-libs-devel-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: f9b954ba261d4b639a93eb977302a7ca
audit-libs-python-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 69ecf1f31d253121859b91cac89a4af5
system-config-audit-0.4.8-9.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: a52b7b47e45236918f96ed69b76f75c7
 
IA-64:
audispd-plugins-1.7.13-2.el5.ia64.rpm
File outdated by:  RHBA-2012:0265
    MD5: a1aedfc99834a6b725c49f26040925b8
audit-1.7.13-2.el5.ia64.rpm
File outdated by:  RHBA-2012:0265
    MD5: a01a655c37596125aad5154bfeedb143
audit-libs-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 5528ee9c040c490af3f395d47ace6682
audit-libs-1.7.13-2.el5.ia64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 8a1460a90113022f3b9377be1d75d94c
audit-libs-devel-1.7.13-2.el5.ia64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 5d1bdeafe2151fb3164d133867049f38
audit-libs-python-1.7.13-2.el5.ia64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 0c24504c97c9dc4d811505319f056b50
system-config-audit-0.4.8-9.el5.ia64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 483dc428785d86f01b95f1a649040322
 
PPC:
audispd-plugins-1.7.13-2.el5.ppc.rpm
File outdated by:  RHBA-2012:0265
    MD5: 0511ce453dbad72ea87936805194ca7b
audit-1.7.13-2.el5.ppc.rpm
File outdated by:  RHBA-2012:0265
    MD5: d431be4d265d2f9998c9437519cb7001
audit-libs-1.7.13-2.el5.ppc.rpm
File outdated by:  RHBA-2012:0265
    MD5: 495e6b3b9f0e90f0f4ed5289fd132edc
audit-libs-1.7.13-2.el5.ppc64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 369d100fc741859c35001b2bf8de3746
audit-libs-devel-1.7.13-2.el5.ppc.rpm
File outdated by:  RHBA-2012:0265
    MD5: ff37cfdd20c2ddac845e7f5161699dc8
audit-libs-devel-1.7.13-2.el5.ppc64.rpm
File outdated by:  RHBA-2012:0265
    MD5: c1ef43c64eb6b32897aea4aa54d6327e
audit-libs-python-1.7.13-2.el5.ppc.rpm
File outdated by:  RHBA-2012:0265
    MD5: ea593c4a2ca771f984ba837449f22a46
system-config-audit-0.4.8-9.el5.ppc.rpm
File outdated by:  RHBA-2012:0265
    MD5: d9c7056fed264f75191f468ee83a2d94
 
s390x:
audispd-plugins-1.7.13-2.el5.s390x.rpm
File outdated by:  RHBA-2012:0265
    MD5: b324f1d05f764aab6adbec37cf10c62d
audit-1.7.13-2.el5.s390x.rpm
File outdated by:  RHBA-2012:0265
    MD5: 0359312b289aa96fea0154c78abc3363
audit-libs-1.7.13-2.el5.s390.rpm
File outdated by:  RHBA-2012:0265
    MD5: 889ce3b2187335299a10044e38e5e73a
audit-libs-1.7.13-2.el5.s390x.rpm
File outdated by:  RHBA-2012:0265
    MD5: 1d4ba37e2970c5b7295fcae521d95877
audit-libs-devel-1.7.13-2.el5.s390.rpm
File outdated by:  RHBA-2012:0265
    MD5: f4af5420b58d29aaba03d453b2127664
audit-libs-devel-1.7.13-2.el5.s390x.rpm
File outdated by:  RHBA-2012:0265
    MD5: 07fcec36d928bbaadf7c221e571013da
audit-libs-python-1.7.13-2.el5.s390x.rpm
File outdated by:  RHBA-2012:0265
    MD5: 8d98de72c8ce2c0faa405ee90d73a0ee
system-config-audit-0.4.8-9.el5.s390x.rpm
File outdated by:  RHBA-2012:0265
    MD5: 6ad90ca6df2e07672b8ab3a8f8714581
 
x86_64:
audispd-plugins-1.7.13-2.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: c3c4882f7d36dbc2eab1bfef937ed440
audit-1.7.13-2.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: c1dcaf636b9998af7f11ae6c1a1e90da
audit-libs-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 5528ee9c040c490af3f395d47ace6682
audit-libs-1.7.13-2.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 2b87db57f84b71037cb34c618ed46860
audit-libs-devel-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: f9b954ba261d4b639a93eb977302a7ca
audit-libs-devel-1.7.13-2.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 1cbed61feed1814811c4138cafccad53
audit-libs-python-1.7.13-2.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: aedd0eeb8f9e123bbf315e22785658a9
system-config-audit-0.4.8-9.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 52db440ca39c14d06fd8c18de99a659f
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
audit-1.7.13-2.el5.src.rpm
File outdated by:  RHBA-2012:0265
    MD5: 8b055881646ecbd400a3fa14459849ae
 
IA-32:
audispd-plugins-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 4a2f57df78751f8d419c313ca6482958
audit-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 9e9bd53afee4bdf47a1995d6af89e612
audit-libs-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 5528ee9c040c490af3f395d47ace6682
audit-libs-python-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 69ecf1f31d253121859b91cac89a4af5
system-config-audit-0.4.8-9.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: a52b7b47e45236918f96ed69b76f75c7
 
x86_64:
audispd-plugins-1.7.13-2.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: c3c4882f7d36dbc2eab1bfef937ed440
audit-1.7.13-2.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: c1dcaf636b9998af7f11ae6c1a1e90da
audit-libs-1.7.13-2.el5.i386.rpm
File outdated by:  RHBA-2012:0265
    MD5: 5528ee9c040c490af3f395d47ace6682
audit-libs-1.7.13-2.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 2b87db57f84b71037cb34c618ed46860
audit-libs-python-1.7.13-2.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: aedd0eeb8f9e123bbf315e22785658a9
system-config-audit-0.4.8-9.el5.x86_64.rpm
File outdated by:  RHBA-2012:0265
    MD5: 52db440ca39c14d06fd8c18de99a659f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

235398 - LSPP: ausearch does not correctly find out of order records
471383 - Missing description of option '--exact' in manual page for ausyscall
476189 - audispd activates the same plugin several times
483086 - RFE: fix tty audit reporting
483608 - audit updates for 5.4
497542 - auditctl parsing error for arg0-3 fields



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/