Bug 231912

Summary: Laus doesn't audit detach event
Product: Red Hat Enterprise Linux 3 Reporter: Matthew Booth <mbooth>
Component: kernelAssignee: Bryn M. Reeves <bmr>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.8CC: jfautley, petrides
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2007-0436 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-11 17:59:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 231914    
Attachments:
Description Flags
Patch against kernel 2.4.21-47.0.1.EL to add audit control events
none
Patch against kernel 2.4.21-47.0.1.EL to add audit control events
none
goto error -> goto err none

Description Matthew Booth 2007-03-12 22:30:36 UTC 
Description of problem:
An appropriately privilege user (CAP_SYS_ADMIN) can perform various control
actions on the audit system with an ioctl() on /dev/audit. One of these is the
ability to detach a process from the audit system. These control events are not
themselves audited. For the most part it is possible to work round this by
auditing ioctl calls on /dev/audit. However, for detach specifically and also
resume this does not work. This opens a severe hole in the ability of the audit
system to audit operations on itself.

Version-Release number of selected component (if applicable):
2.4.21-47.0.1.EL

How reproducible:
Always

Steps to Reproduce:
1. Create a program which detaches itself from laus by calling laus_detach().
2. Invoke the program.
  
Actual results:
There is no audit configuration which will audit this.

Expected results:
Should probably be audited by default.
Comment 1 Matthew Booth 2007-03-12 22:40:00 UTC 
Created attachment 149877 [details]
Patch against kernel 2.4.21-47.0.1.EL to add audit control events

This patch adds a new event type for audit control events. The events are
generated for every attempted ioctl on /dev/audit. The event comprises:

* the ioctl request number
* the return code

The events are only generated based on a match in the filter policy. This means
that existing configurations will not receive these events. In fact, without
the corresponding laus userspace update, it is not possible to receive these
events. With the userspace update, receiving these events simply requires the
following line in filter.conf:

event audit-control = always;
Comment 7 Matthew Booth 2007-03-13 17:38:03 UTC 
Created attachment 149955 [details]
Patch against kernel 2.4.21-47.0.1.EL to add audit control events

This is an NFC from the previous patch. It fixes a coding style problem found
by Brynn Reeves (spaces instead of a tab).
Comment 9 Steve Grubb 2007-03-16 13:35:30 UTC 
Reviewed patch and have 1 comment:

+		error=-EPERM;

<snip>

+		goto error;

Might not be good to have a variable "error" and a label of "error". The label
could be error_exit, err, or something else that's unique.
Comment 10 Bryn M. Reeves 2007-03-16 17:18:18 UTC 
Created attachment 150254 [details]
goto error -> goto err

Agreed. Attaching revised patch.
Comment 11 Ernie Petrides 2007-03-20 03:44:27 UTC 
A fix for this problem has just been committed to the RHEL3 U9
patch pool this evening (in kernel version 2.4.21-47.7.EL).
Comment 14 Red Hat Bugzilla 2007-06-11 17:59:19 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0436.html
Comment 15 Issue Tracker 2007-06-12 09:00:23 UTC 
Resolved. Closing ticket.

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 3.9'

This event sent from IssueTracker by jfautley 
 issue 116053