Bug 166518

Summary: auditctl inode auditing rules don't work
Product: Red Hat Enterprise Linux 4 Reporter: Steve Grubb <sgrubb>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: andriusb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHEA-2005-530 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-05 12:40:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 156322    

Description Steve Grubb 2005-08-22 19:40:15 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
Inode auditing rules get corrupted before sending to the kernel.

[root@discovery ~]# ls -i /etc/passwd
1562153 /etc/passwd
[root@discovery ~]# auditctl -a exit,always -F inode=1562153
[root@discovery ~]# auditctl -l
AUDIT_LIST: exit,always inode=0 syscall=all
File system watches not supported

The inode number gets changed to 0.

Version-Release number of selected component (if applicable):
audit-1.0.1-2

How reproducible:
Always

Steps to Reproduce:
1. See description

Additional info:
Comment 1 Steve Grubb 2005-08-22 19:42:21 UTC 
This bug may also affect rules with the following fields: exit, success,
devmajor, and devminor. Upgrade to version 1.0.3 is recommended solution.
Comment 2 Steve Grubb 2005-08-22 20:21:06 UTC 
This bug needs to be fixed because the audit system doesn't work the way it is
documented. The man pages say that the user can set certain kinds of rules. It
turns out that they do not work because of the corruption. Adding to the U2
proposed list.
Comment 4 Andrius Benokraitis 2005-08-22 21:28:00 UTC 
From Steve in an email:

You can pick values at random to test. The following shows the full extent of 
the issues. Try:

[root@discovery ~]# auditctl -a exit,always -F devmajor=15
[root@discovery ~]# auditctl -a exit,always -F devminor=30
[root@discovery ~]# auditctl -a exit,always -F success=50
[root@discovery ~]# auditctl -a exit,always -F exit=50
[root@discovery ~]# auditctl -a exit,always -F inode=50
[root@discovery ~]# auditctl -l
AUDIT_LIST: exit,always devmajor=0 syscall=all
AUDIT_LIST: exit,always devminor=0 syscall=all
AUDIT_LIST: exit,always success=0 syscall=all
AUDIT_LIST: exit,always exit=0 syscall=all
AUDIT_LIST: exit,always inode=0 syscall=all
File system watches not supported

You see, they all go to 0.
Comment 8 Red Hat Bugzilla 2005-10-05 10:56:22 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2005-530.html
Comment 9 Red Hat Bugzilla 2005-10-05 11:49:34 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2005-530.html
Comment 10 Red Hat Bugzilla 2005-10-05 12:40:16 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2005-530.html