Bug 461653

Summary: IPA: Include plaintext string data with audit log in new plugin
Product: Red Hat Enterprise Linux 6 Reporter: Karl Wirth <kwirth>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: lenny, pmoore, sgrubb
Target Milestone: rcKeywords: Unconfirmed
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-03 16:49:20 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 840699    

Description Karl Wirth 2008-09-09 14:33:04 EDT
1. Kernel and user space audit pieces currently treat some characters (spaces, tabs, quotes, maybe more) as control characters and upon seeing them in astring, converts that string into Hex. This makes it difficult for solutions (such as IPA Audit) that want to leverage the raw audit to search on the audit or parse it.

2. Proposed solution.  Build plug-in to audit dispatcher that takes audit record as is, puts some clear marker that shows it is adding interpretive data, and appends interpreted data to the audit record.  It will then output the audit record to a file of a different name.  There will be a flag to say whether this plug-in should run or not. Default state should be not disabled even when loaded.  

3. Appended interpreted data will include:
- The human readable string in the case where a string is turned into Hex
- Additional valuable interpreted data like turning uid into the
username (i.e kwirth)

4. Platform support.  Goal is RHEL 5.4 and backport to RHEL 4.x.
Comment 4 LC Bruzenak 2009-09-17 10:48:08 EDT
I'd like to add to (3) above - that on systems configured for MLS policy, the translation of the MLS part of the context to its human-readable form as defined by the mcstrans.conf definitions on that machine. Also, I second - the UID/GID translation would be very helpful.
Comment 13 LC Bruzenak 2015-10-13 13:40:12 EDT
This bug is pretty old, and maybe the proposed fix Karl mentioned isn't the optimal way anymore. When I read it, I was really interested in getting the interpreted information into the events vice the numeric (UID/GID/AUID/etc). This would facilitate meaningful events on an aggregated machine. I've learned how to work around this problem in the intervening years, but would still be interested in having the ability.

UID/GID/AUID are all well-known. The part that might be unclear is the mcstrans part I described. An MLS policy is similar to MCS, except instead of one sensitivity level and multiple compartments, there are multiple SLs and multiple compartments.

The mcstransd interprets human-readable discrete labels into machine-readable and vice-versa.

Example setrans.conf entries:
Domain=Test

s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh

Base=Sensitivity Levels
s1=Unclassified
s1=U
s2:c200.c511=Restricted
s2:c200.c511=R
s3:c200.c511=Confidential
s3:c200.c511=C
s4:c200.c511=Secret
s4:c200.c511=S
s5:c200.c511=Top Secret
s5:c200.c511=TS

The audited events have only the bitwise representations; e.g.:
node=jcdx type=SYSCALL msg=audit(10/13/2015 11:40:58.454:62780) : arch=i386 syscall=socketcall(socket) success=no exit=-13(Permission denied) a0=1 a1=fff54c94 a2=5f79ff4 a3=fff54e5c items=0 ppid=9645 pid=9646 auid=root uid=json2jcdx gid=jcdx euid=json2jcdx suid=json2jcdx fsuid=json2jcdx egid=jcdx sgid=jcdx fsgid=jcdx tty=(none) ses=332 comm=json2jcdx exe=/opt/jcdx/libexec/json2jcdx subj=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 key=(null) 
node=jcdx type=AVC msg=audit(10/13/2015 11:40:58.454:62780) : avc:  denied  { create } for  pid=9646 comm=json2jcdx scontext=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 tcontext=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 tclass=netlink_route_socket
Comment 15 Steve Grubb 2016-06-03 16:49:20 EDT
This is not going into RHEL6 at this point. It is being worked on RHEL7 under rhbz 1127343.

*** This bug has been marked as a duplicate of bug 1127343 ***