aushape icon indicating copy to clipboard operation
aushape copied to clipboard

Published 20 hours ago verified publisher icon Scribery

Error normalizing NETFILTER_CFG

Open spbnick opened this issue 7 years ago • 4 comments

The auparse_normalize function returns an error for following piece of audit.log:

node=fedora24-dev type=NETFILTER_CFG msg=audit(1517172828.517:495): table=mangle family=10 entries=6
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.797:496): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=firewalld comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.799:497): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.800:498): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=polkit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_START msg=audit(1517172829.804:499): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-vconsole-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.804:500): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-vconsole-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.807:501): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=fedora24-dev type=SYSTEM_SHUTDOWN msg=audit(1517172829.807:502): pid=3653 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.808:503): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-random-seed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=fedora24-dev type=SERVICE_STOP msg=audit(1517172829.810:504): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
node=localhost.localdomain type=DAEMON_CLOSE msg=audit(1517172829.848:13): addr=192.168.122.40 port=48118 res=success
node=localhost.localdomain type=SERVICE_STOP msg=audit(1517172864.462:3385): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=chronyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

The particular issue can be reproduced with auparse as well, like this:

ausearch --format csv -if auparse_normalize_failure.log

This was seen on Fedora 25 with the following packages installed:

audit-2.8.1-1.fc25.x86_64
audit-libs-devel-2.8.1-1.fc25.x86_64
audit-libs-2.8.1-1.fc25.x86_64

Response from Steve Grubb from the audit team was:

The event from the kernel is messed up. You can try asking on the linux-audit mail list because they think I'm the only one seeing problems. And there is also github issues:

https://github.com/linux-audit/audit-kernel/issues/25 https://github.com/linux-audit/audit-kernel/issues/35

These have been open for about a year with no real movement. I don't know if there is anything you can do to highlight that we need these fixed ASAP.

spbnick avatar Feb 07 '18 11:02 spbnick

This is essentially a duplicate of issue 25 and issue 35. I recommend close as duplicate.

rgbriggs avatar Mar 17 '18 05:03 rgbriggs

@rgbriggs Hmm, I don't think I follow. To me those issues don't look related at all. Could you elaborate, please?

spbnick avatar Mar 18 '18 06:03 spbnick

On 2018-03-18 06:22, Nikolai Kondrashov wrote:

@rgbriggs Hmm, I don't think I follow. To me those issues don't look related at all. Could you elaborate, please?

Perhaps I misunderstood the goal of this issue report.

Is there work expected by the scribery/aushape team to work around this or ignore it? Or is it to get Steve to stop the normalizer from complaining? Or is it expected that the kernel folks resolve ghak25/ghak35.

Now that a number of other issues have been addressed and better understood I am optimistic ghak25/35 can be addressed which should resolve this scribery/aushape issue.

rgbriggs avatar Mar 19 '18 05:03 rgbriggs

I think the solution to this on aushape side should be to fail generating the normalized data, and mark the partially-converted JSON object with an error. I would, of course, like this resolved on the audit or kernel side, but I expect things like this will keep happening, so aushape will need to handle it anyway, and it can start with handling this case while it's being resolved.

spbnick avatar Mar 19 '18 06:03 spbnick