Update end of event detection mechanism

Resolves: RHEL-78323
2025-04-02 11:12:15 +02:00 · 2025-04-02 11:12:15 +02:00 · fb748ca9eb
commit fb748ca9eb
parent f725649490
4 changed files with 1355 additions and 1 deletions
--- a/audit.spec
+++ b/audit.spec
@ -2,7 +2,7 @@
 Summary: User space tools for kernel auditing
 Name: audit
 Version: 3.1.5
-Release: 5%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@ -20,6 +20,9 @@ Patch9: interpret-tty-data.patch
 Patch10: tty-hostname.patch
 Patch11: ausearch-DAEMON_END.patch
 Patch12: afunix-memleak.patch
+Patch13: end-of-event.patch
+Patch14: end-of-event-check.patch
+Patch15: end-of-event-gdm.patch

 BuildRequires: make gcc swig
 BuildRequires: openldap-devel
@ -114,6 +117,9 @@ cp %{SOURCE1} .
 %patch -P 10 -p1
 %patch -P 11 -p1
 %patch -P 12 -p1
+%patch -P 13 -p1
+%patch -P 14 -p1
+%patch -P 15 -p1

 autoreconf -fv --install

@ -302,6 +308,10 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote

 %changelog
+* Wed Apr 02 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-6
+- Update end of event detection mechanism
+  Resolves: RHEL-78323
+
 * Fri Mar 28 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-5
 - ausearch: correct search for DAEMON related events
 - allow hex digits when interpreting tty data
--- a/end-of-event-check.patch
+++ b/end-of-event-check.patch
--- a/end-of-event-gdm.patch
+++ b/end-of-event-gdm.patch
@ -0,0 +1,219 @@
+From 23eb05485637dd51e5898ece17324921308de085 Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 2 Apr 2025 14:12:36 +0200
+Subject: [PATCH] test suite: replace auid=42 with auid=0
+
+Executing make check, the test case expected the system
+to have user gdm with id of 42, which might not be true in all cases.
+In case the user was not present, ID to name translation failed, thus
+make check exited with error.
+---
+ auparse/test/auparse_test.ref    | 18 +++++++++---------
+ auparse/test/auparse_test.ref.py | 18 +++++++++---------
+ auparse/test/test.log            |  4 ++--
+ auparse/test/test2.log           |  4 ++--
+ 4 files changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/auparse/test/auparse_test.ref b/auparse/test/auparse_test.ref
+index dbeddf22..455dbb3a 100644
+--- a/auparse/test/auparse_test.ref
+++ b/auparse/test/auparse_test.ref
+@@ -188,7 +188,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -209,7 +209,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -389,7 +389,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -410,7 +410,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -587,7 +587,7 @@ event 11 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -608,7 +608,7 @@ event 11 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -699,7 +699,7 @@ Test 6 Done
+ 
+ Starting Test 7, compound search...
+ Found type = USER_START
+-Found auid = 42
+Found auid = 0
+ Test 7 Done
+ 
+ Starting Test 8, regex search...
+@@ -874,7 +874,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -895,7 +895,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+diff --git a/auparse/test/auparse_test.ref.py b/auparse/test/auparse_test.ref.py
+index 83dc47ad..73b2a099 100644
+--- a/auparse/test/auparse_test.ref.py
+++ b/auparse/test/auparse_test.ref.py
+@@ -180,7 +180,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -201,7 +201,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -381,7 +381,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -402,7 +402,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -579,7 +579,7 @@ event 11 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -600,7 +600,7 @@ event 11 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -691,7 +691,7 @@ Test 6 Done
+ 
+ Starting Test 7, compound search...
+ Found type = USER_START
+-Found auid = 42
+Found auid = 0
+ Test 7 Done
+ 
+ Starting Test 8, regex search...
+@@ -864,7 +864,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -885,7 +885,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+diff --git a/auparse/test/test.log b/auparse/test/test.log
+index cef1838d..24e0557f 100644
+--- a/auparse/test/test.log
+++ b/auparse/test/test.log
+@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:293):  cwd="/var/spool/postfix"
+ type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
+ type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+ type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+-type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1
+-type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=1 res=1
+type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+ type=PROCTITLE msg=audit(1170021601.343:296): proctitle="(systemd)"
+ type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+ type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+diff --git a/auparse/test/test2.log b/auparse/test/test2.log
+index 63aadaa9..a2f3e755 100644
+--- a/auparse/test/test2.log
+++ b/auparse/test/test2.log
+@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:283):  cwd="/var/spool/postfix"
+ type=PATH msg=audit(1170021493.977:283): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
+ type=USER_ACCT msg=audit(1170021601.340:284): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+ type=CRED_ACQ msg=audit(1170021601.342:285): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+-type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1
+-type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=1 res=1
+type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+ type=PROCTITLE msg=audit(1170021601.343:286): proctitle="(systemd)"
+ type=USER_START msg=audit(1170021601.344:287): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+ type=CRED_DISP msg=audit(1170021601.364:288): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+-- 
+2.49.0
+
--- a/end-of-event.patch
+++ b/end-of-event.patch
@ -0,0 +1,60 @@
+From d6aac5857a7aea11a7fc95926d587ecc824b6152 Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 2 Apr 2025 11:04:37 +0200
+Subject: [PATCH] Update end of event detection
+
+---
+ auparse/auparse.c  | 5 ++++-
+ src/ausearch-lol.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/auparse/auparse.c b/auparse/auparse.c
+index c3e1fb9e..1b0c5a39 100644
+--- a/auparse/auparse.c
+++ b/auparse/auparse.c
+@@ -319,7 +319,9 @@ static void au_check_events(auparse_state_t *au, time_t sec)
+                         } else if ( // FIXME: Check this v remains true
+ 				r->type == AUDIT_PROCTITLE ||
+ 				r->type == AUDIT_EOE ||
+-				r->type < AUDIT_FIRST_EVENT ||
+				(r->type > AUDIT_LOGIN &&
+					r->type < AUDIT_FIRST_EVENT) ||
+				r->type == AUDIT_USER ||
+ 				r->type >= AUDIT_FIRST_ANOM_MSG ||
+ 				r->type == AUDIT_KERNEL ||
+ 				(r->type >= AUDIT_MAC_UNLBL_ALLOW &&
+@@ -332,6 +334,7 @@ static void au_check_events(auparse_state_t *au, time_t sec)
+         }
+ }
+ 
+
+ /*
+  * au_terminate_all_events - Mark all events in 'BUILD' state to be COMPLETE
+  *
+diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
+index 31c5ff2e..e2a6017d 100644
+--- a/src/ausearch-lol.c
+++ b/src/ausearch-lol.c
+@@ -259,7 +259,10 @@ static void check_events(lol *lo, time_t sec)
+ 				cur->status = L_COMPLETE;
+ 				ready++;
+ 			} else if (cur->l->e.type == AUDIT_PROCTITLE ||
+-				    cur->l->e.type < AUDIT_FIRST_EVENT ||
+				    cur->l->e.type == AUDIT_EOE ||
+				    (cur->l->e.type > AUDIT_LOGIN &&
+				        cur->l->e.type < AUDIT_FIRST_EVENT) ||
+				    cur->l->e.type == AUDIT_USER ||
+ 				    cur->l->e.type >= AUDIT_FIRST_ANOM_MSG ||
+ 				    cur->l->e.type == AUDIT_KERNEL ||
+ 				    (cur->l->e.type >= AUDIT_MAC_UNLBL_ALLOW &&
+@@ -272,6 +275,7 @@ static void check_events(lol *lo, time_t sec)
+ 	}
+ }
+ 
+
+ // This function adds a new record to an existing linked list
+ // or creates a new one if its a new event
+ int lol_add_record(lol *lo, char *buff)
+-- 
+2.49.0
+