* New bug in Audit @ 2023-01-05 9:46 Ariel Silver 2023-01-05 15:41 ` Paul Moore 0 siblings, 1 reply; 10+ messages in thread From: Ariel Silver @ 2023-01-05 9:46 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 942 bytes --] I found the following bug: OS version = Red Hat Enterprise Linux release 8.6 (Ootpa) Kernel version = 4.18.0-425.3.1.el8.x86_64 auditctl version = 3.0.7 Scenario 1: When I load the configurations : *auditctl -a always,exit -S all -F dir=/ -F perm=w -F success=1* And run the command: *cp /tmp/1 /tmp/2* No new log is created in: /var/log/audit/audit.log But the file is indeed copied. Scenario 2: When I load the configurations : *auditctl -a always,exit -S all -F dir=/ -F perm=w -F success=0* And run the command: *cp /tmp/1 /tmp/2* No new log is created in: /var/log/audit/audit.log But the file is indeed copied. Scenario 3: When I load the configurations : *auditctl -a always,exit -S all -F dir=/ -F perm=w* And run the command: *cp /tmp/1 /tmp/2* Yes new log is created in: /var/log/audit/audit.log File was indeed copied. Conclusion: Only when I don't use the -F success new logs are created. Why is that? Any alternative ? [-- Attachment #1.2: Type: text/html, Size: 2161 bytes --] [-- Attachment #2: Type: text/plain, Size: 107 bytes --] -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New bug in Audit 2023-01-05 9:46 New bug in Audit Ariel Silver @ 2023-01-05 15:41 ` Paul Moore 2023-01-05 16:31 ` Steve Grubb 0 siblings, 1 reply; 10+ messages in thread From: Paul Moore @ 2023-01-05 15:41 UTC (permalink / raw) To: Ariel Silver; +Cc: linux-audit On Thu, Jan 5, 2023 at 8:38 AM Ariel Silver <arielsilver77@gmail.com> wrote: > I found the following bug: > > OS version = Red Hat Enterprise Linux release 8.6 (Ootpa) > Kernel version = 4.18.0-425.3.1.el8.x86_64 > auditctl version = 3.0.7 This mailing list is focused on the development and support of upstream Linux Kernels and Steve's audit userspace, we don't really provide support for paid distributions. If you are seeing problems with the upstream Linux Kernel or tools, please report them here, but issues with distribution kernels and/or tools should be sent to the distribution for support/assistance. I believe you should be able to submit a bug report against Red Hat Enterprise Linux using the Red Hat bugzilla instance at the URL below: * https://bugzilla.redhat.com -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New bug in Audit 2023-01-05 15:41 ` Paul Moore @ 2023-01-05 16:31 ` Steve Grubb 2023-01-05 19:32 ` Paul Moore 2023-01-06 0:35 ` Richard Guy Briggs 0 siblings, 2 replies; 10+ messages in thread From: Steve Grubb @ 2023-01-05 16:31 UTC (permalink / raw) To: Ariel Silver, linux-audit; +Cc: linux-audit On Thursday, January 5, 2023 10:41:49 AM EST Paul Moore wrote: > On Thu, Jan 5, 2023 at 8:38 AM Ariel Silver <arielsilver77@gmail.com> wrote: > > I found the following bug: > > > > OS version = Red Hat Enterprise Linux release 8.6 (Ootpa) > > Kernel version = 4.18.0-425.3.1.el8.x86_64 > > auditctl version = 3.0.7 > > This mailing list is focused on the development and support of > upstream Linux Kernels and Steve's audit userspace, we don't really > provide support for paid distributions. If you are seeing problems > with the upstream Linux Kernel or tools, please report them here, but > issues with distribution kernels and/or tools should be sent to the > distribution for support/assistance. Paul, we take bug reports and help requests from anyone. Often, distributions are how we first hear of problems. > I believe you should be able to submit a bug report against Red Hat > Enterprise Linux using the Red Hat bugzilla instance at the URL below: I believe this is fixed by this commit: https://github.com/linux-audit/audit-kernel/commit/ 1b2263a807ca651f94517b1b22dc5f13e494984d -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New bug in Audit 2023-01-05 16:31 ` Steve Grubb @ 2023-01-05 19:32 ` Paul Moore 2023-01-06 20:33 ` Paul Moore 2023-01-06 0:35 ` Richard Guy Briggs 1 sibling, 1 reply; 10+ messages in thread From: Paul Moore @ 2023-01-05 19:32 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit, Ariel Silver On Thu, Jan 5, 2023 at 11:32 AM Steve Grubb <sgrubb@redhat.com> wrote: > On Thursday, January 5, 2023 10:41:49 AM EST Paul Moore wrote: > > On Thu, Jan 5, 2023 at 8:38 AM Ariel Silver <arielsilver77@gmail.com> > wrote: > > > I found the following bug: > > > > > > OS version = Red Hat Enterprise Linux release 8.6 (Ootpa) > > > Kernel version = 4.18.0-425.3.1.el8.x86_64 > > > auditctl version = 3.0.7 > > > > This mailing list is focused on the development and support of > > upstream Linux Kernels and Steve's audit userspace, we don't really > > provide support for paid distributions. If you are seeing problems > > with the upstream Linux Kernel or tools, please report them here, but > > issues with distribution kernels and/or tools should be sent to the > > distribution for support/assistance. > > Paul, we take bug reports and help requests from anyone. Often, distributions > are how we first hear of problems. Steve, re-read what I wrote. This mailing list is *focused* on upstream work and support, and while it does not preclude talking about distro specific bugs, I believe there are better avenues for those discussions (e.g. see the RHBZ link I provided in my response) as upstream isn't really going to be able to provide adequate help for someone experiencing problems with a distro kernel which has a number of patches and backports. If you have a problem with this approach, perhaps we should move upstream development to an audit mailing list on vger.kernel.org and leave this list for RH specific issues? -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New bug in Audit 2023-01-05 19:32 ` Paul Moore @ 2023-01-06 20:33 ` Paul Moore 2023-01-09 8:30 ` Ariel Silver 2023-01-09 15:08 ` Steve Grubb 0 siblings, 2 replies; 10+ messages in thread From: Paul Moore @ 2023-01-06 20:33 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit, Ariel Silver On Thu, Jan 5, 2023 at 2:32 PM Paul Moore <paul@paul-moore.com> wrote: > On Thu, Jan 5, 2023 at 11:32 AM Steve Grubb <sgrubb@redhat.com> wrote: > > On Thursday, January 5, 2023 10:41:49 AM EST Paul Moore wrote: > > > On Thu, Jan 5, 2023 at 8:38 AM Ariel Silver <arielsilver77@gmail.com> > > wrote: > > > > I found the following bug: > > > > > > > > OS version = Red Hat Enterprise Linux release 8.6 (Ootpa) > > > > Kernel version = 4.18.0-425.3.1.el8.x86_64 > > > > auditctl version = 3.0.7 > > > > > > This mailing list is focused on the development and support of > > > upstream Linux Kernels and Steve's audit userspace, we don't really > > > provide support for paid distributions. If you are seeing problems > > > with the upstream Linux Kernel or tools, please report them here, but > > > issues with distribution kernels and/or tools should be sent to the > > > distribution for support/assistance. > > > > Paul, we take bug reports and help requests from anyone. Often, distributions > > are how we first hear of problems. > > Steve, re-read what I wrote. > > This mailing list is *focused* on upstream work and support, and while > it does not preclude talking about distro specific bugs, I believe > there are better avenues for those discussions (e.g. see the RHBZ link > I provided in my response) as upstream isn't really going to be able > to provide adequate help for someone experiencing problems with a > distro kernel which has a number of patches and backports. > > If you have a problem with this approach, perhaps we should move > upstream development to an audit mailing list on vger.kernel.org and > leave this list for RH specific issues? Steve, I realize it's only been ~24hrs, but should I assume you are okay with that (the upstream focused approach)? -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New bug in Audit 2023-01-06 20:33 ` Paul Moore @ 2023-01-09 8:30 ` Ariel Silver 2023-01-09 15:02 ` Paul Moore 2023-01-09 15:08 ` Steve Grubb 1 sibling, 1 reply; 10+ messages in thread From: Ariel Silver @ 2023-01-09 8:30 UTC (permalink / raw) To: Paul Moore; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2468 bytes --] Hey guys and thank you for the quick reply, Much appreciated! As Richard and Steve mentioned the commit: https://github.com/linux-audit/audit-kernel/commit/1b2263a807ca651f94517b1b22dc5f13e494984d Fixed this issue. Any timeframe to when we can get a new version of auditd with that fix? Or should I count on redhat to release an update to the kernel ? Any update will be good. Once again thanks a lot! בתאריך יום ו׳, 6 בינו׳ 2023 ב-22:33 מאת Paul Moore <paul@paul-moore.com >: > On Thu, Jan 5, 2023 at 2:32 PM Paul Moore <paul@paul-moore.com> wrote: > > On Thu, Jan 5, 2023 at 11:32 AM Steve Grubb <sgrubb@redhat.com> wrote: > > > On Thursday, January 5, 2023 10:41:49 AM EST Paul Moore wrote: > > > > On Thu, Jan 5, 2023 at 8:38 AM Ariel Silver <arielsilver77@gmail.com > > > > > wrote: > > > > > I found the following bug: > > > > > > > > > > OS version = Red Hat Enterprise Linux release 8.6 (Ootpa) > > > > > Kernel version = 4.18.0-425.3.1.el8.x86_64 > > > > > auditctl version = 3.0.7 > > > > > > > > This mailing list is focused on the development and support of > > > > upstream Linux Kernels and Steve's audit userspace, we don't really > > > > provide support for paid distributions. If you are seeing problems > > > > with the upstream Linux Kernel or tools, please report them here, but > > > > issues with distribution kernels and/or tools should be sent to the > > > > distribution for support/assistance. > > > > > > Paul, we take bug reports and help requests from anyone. Often, > distributions > > > are how we first hear of problems. > > > > Steve, re-read what I wrote. > > > > This mailing list is *focused* on upstream work and support, and while > > it does not preclude talking about distro specific bugs, I believe > > there are better avenues for those discussions (e.g. see the RHBZ link > > I provided in my response) as upstream isn't really going to be able > > to provide adequate help for someone experiencing problems with a > > distro kernel which has a number of patches and backports. > > > > If you have a problem with this approach, perhaps we should move > > upstream development to an audit mailing list on vger.kernel.org and > > leave this list for RH specific issues? > > Steve, I realize it's only been ~24hrs, but should I assume you are > okay with that (the upstream focused approach)? > > -- > paul-moore.com > [-- Attachment #1.2: Type: text/html, Size: 3529 bytes --] [-- Attachment #2: Type: text/plain, Size: 107 bytes --] -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New bug in Audit 2023-01-09 8:30 ` Ariel Silver @ 2023-01-09 15:02 ` Paul Moore 0 siblings, 0 replies; 10+ messages in thread From: Paul Moore @ 2023-01-09 15:02 UTC (permalink / raw) To: Ariel Silver; +Cc: linux-audit On Mon, Jan 9, 2023 at 3:30 AM Ariel Silver <arielsilver77@gmail.com> wrote: > > Hey guys and thank you for the quick reply, Much appreciated! > > As Richard and Steve mentioned the commit: https://github.com/linux-audit/audit-kernel/commit/1b2263a807ca651f94517b1b22dc5f13e494984d > Fixed this issue. A quick note for anyone looking to backport, the actual commit in the upstream Linux Kernel is d4fefa4801a1 ("audit: move audit_return_fixup before the filters"). Looking at the commit ID posted above and the note in the commit about the manual merge, it looks like the 1b22 commit had a munged subject line that was fixed in d4fe. > Any timeframe to when we can get a new version of auditd with that fix? > Or should I count on redhat to release an update to the kernel ? > > Any update will be good. This is one of those reasons why you really need to contact RH directly via their bugzilla and/or a support representative; those of us who work on the upstream Linux Kernel do not have visibility into RH's kernel release process. I maintain the Linux Kernel's audit subsystem and I don't currently work for RH, and haven't for over four years ;) -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New bug in Audit 2023-01-06 20:33 ` Paul Moore 2023-01-09 8:30 ` Ariel Silver @ 2023-01-09 15:08 ` Steve Grubb 2023-01-10 4:38 ` Paul Moore 1 sibling, 1 reply; 10+ messages in thread From: Steve Grubb @ 2023-01-09 15:08 UTC (permalink / raw) To: Paul Moore, linux-audit On Friday, January 6, 2023 3:33:18 PM EST Paul Moore wrote: > > This mailing list is *focused* on upstream work and support, and while > > it does not preclude talking about distro specific bugs, I believe > > there are better avenues for those discussions (e.g. see the RHBZ link > > I provided in my response) as upstream isn't really going to be able > > to provide adequate help for someone experiencing problems with a > > distro kernel which has a number of patches and backports. > > > > If you have a problem with this approach, perhaps we should move > > upstream development to an audit mailing list on vger.kernel.org and > > leave this list for RH specific issues? > > Steve, I realize it's only been ~24hrs, but should I assume you are > okay with that (the upstream focused approach)? For the 18 years I've spent on this mail list, it has alway been open to any topic audit related. I've answered questions for many distributions. If I can reproduce the issue, then it's a bug worth looking at. If I can't reproduce it, I let them know. I've even answered questions for people writing their own audit implementation. A lot of the email is upstream kernel work - no doubt. But Many times, we miss upstream kernel bugs because no one is running upstream code. We usually hear about it when a distribution which stays close to upstream releases a new update. The text where you sign up for this mail list does not limit the topc to upstream work, it allows for any discussion as long as it's audit related. I do not think making a new mail list is in anyone's interest. Bugs will always get misreported if there are 2 lists. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New bug in Audit 2023-01-09 15:08 ` Steve Grubb @ 2023-01-10 4:38 ` Paul Moore 0 siblings, 0 replies; 10+ messages in thread From: Paul Moore @ 2023-01-10 4:38 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On Mon, Jan 9, 2023 at 10:59 AM Steve Grubb <sgrubb@redhat.com> wrote: > On Friday, January 6, 2023 3:33:18 PM EST Paul Moore wrote: > > > This mailing list is *focused* on upstream work and support, and while > > > it does not preclude talking about distro specific bugs, I believe > > > there are better avenues for those discussions (e.g. see the RHBZ link > > > I provided in my response) as upstream isn't really going to be able > > > to provide adequate help for someone experiencing problems with a > > > distro kernel which has a number of patches and backports. > > > > > > If you have a problem with this approach, perhaps we should move > > > upstream development to an audit mailing list on vger.kernel.org and > > > leave this list for RH specific issues? > > > > Steve, I realize it's only been ~24hrs, but should I assume you are > > okay with that (the upstream focused approach)? > > For the 18 years I've spent on this mail list, it has alway been open to any > topic audit related. I've answered questions for many distributions. If I can > reproduce the issue, then it's a bug worth looking at. If I can't reproduce > it, I let them know. I've even answered questions for people writing their > own audit implementation. Since I was asked to maintain the upstream Linux Kernel audit subsystem I've generally asked people to try and reproduce their problems on a modern~ish upstream Linux Kernel as it simply isn't sustainable for me to replicate the environment of every problem report. Enterprise distributions which run old and/or heavily patched Linux Kernels should have their own support staff to provide assistance in these areas, the upstream developers can't support every distro kernel that ships. > A lot of the email is upstream kernel work - no doubt. But Many times, we > miss upstream kernel bugs because no one is running upstream code. We usually > hear about it when a distribution which stays close to upstream releases a > new update. In which case I would expect the distro support team to reproduce the problem and report it upstream and/or submit an upstream patch for review. This has been shown to work very well, and fits nicely within the "upstream first" motto adopted by some of the better Linux distributions. > The text where you sign up for this mail list does not limit the topc to > upstream work, Perhaps the term "limit" is a bit strong, but I think it would be good if the list welcome message indicates that the list is primarily for the development and support of the upstream Linux audit tools, distribution specific concerns should be sent to the distribution provider. > it allows for any discussion as long as it's audit related. I > do not think making a new mail list is in anyone's interest. Bugs will always > get misreported if there are 2 lists. I disagree, the upstream and Fedora SELinux mailing lists have been a good example of this working well. I also tend to think there is some value in having a vendor agnostic mailing list host, but that's more of a tie breaker in my mind, and not reason enough alone to force a switch. -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New bug in Audit 2023-01-05 16:31 ` Steve Grubb 2023-01-05 19:32 ` Paul Moore @ 2023-01-06 0:35 ` Richard Guy Briggs 1 sibling, 0 replies; 10+ messages in thread From: Richard Guy Briggs @ 2023-01-06 0:35 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit, Ariel Silver On 2023-01-05 11:31, Steve Grubb wrote: > On Thursday, January 5, 2023 10:41:49 AM EST Paul Moore wrote: > > On Thu, Jan 5, 2023 at 8:38 AM Ariel Silver <arielsilver77@gmail.com> wrote: > > > I found the following bug: > > > > > > OS version = Red Hat Enterprise Linux release 8.6 (Ootpa) > > > Kernel version = 4.18.0-425.3.1.el8.x86_64 > > > auditctl version = 3.0.7 > > > > This mailing list is focused on the development and support of > > upstream Linux Kernels and Steve's audit userspace, we don't really > > provide support for paid distributions. If you are seeing problems > > with the upstream Linux Kernel or tools, please report them here, but > > issues with distribution kernels and/or tools should be sent to the > > distribution for support/assistance. > > Paul, we take bug reports and help requests from anyone. Often, distributions > are how we first hear of problems. We did, it is filed upstream as: https://github.com/linux-audit/audit-kernel/issues/138 > > I believe you should be able to submit a bug report against Red Hat > > Enterprise Linux using the Red Hat bugzilla instance at the URL below: > > I believe this is fixed by this commit: > > https://github.com/linux-audit/audit-kernel/commit/ > 1b2263a807ca651f94517b1b22dc5f13e494984d Yes, that commit fixes that bug upstream. It has been backported to RHEL. > -Steve - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-01-10 4:39 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-01-05 9:46 New bug in Audit Ariel Silver 2023-01-05 15:41 ` Paul Moore 2023-01-05 16:31 ` Steve Grubb 2023-01-05 19:32 ` Paul Moore 2023-01-06 20:33 ` Paul Moore 2023-01-09 8:30 ` Ariel Silver 2023-01-09 15:02 ` Paul Moore 2023-01-09 15:08 ` Steve Grubb 2023-01-10 4:38 ` Paul Moore 2023-01-06 0:35 ` Richard Guy Briggs
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.