Bug 670938

Summary: searching on auid = -1 results in all events
Product: Red Hat Enterprise Linux 6 Reporter: Steve Grubb <sgrubb>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: high    
Version: 6.0   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: audit-2.0.6-1.el6 Doc Type: Bug Fix
Doc Text:
System processes, that is processes with an audit id (auid) of -1 are logged by the audit subsystem. However, if the ausearch utility was used to locate events where the auid was -1, it would display all events. In this update, ausearch only returns events with an auid of -1.
 Story Points: ---
Clone Of:
: 706156 (view as bug list) Environment:
Last Closed: 2011-05-19 13:55:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 706156    

Description Steve Grubb 2011-01-19 17:31:40 UTC 
Description of problem:
When an audit rules such as this is loaded on a 32 bit system:

-a exit,always -S creat -S open -S openat -S truncate -S ftruncate -F success=0 -F auid!=-1

System processes (ones with auid == -1) still get logged. This is because the auid is converted using a signed conversion and then compared in the kernel unsigned. Since 2147483647 does not equal 4294967295, the rule never triggers. Listing the rule back out with "auditctl -l" shows that auid=2147483647 (0x7fffffff) is loaded rather than 4294967295.
Comment 3 Steve Grubb 2011-02-02 13:32:09 UTC 
In researching this problem, I found that it was already fixed by https://fedorahosted.org/audit/changeset/268

However during troubleshooting, I needed to get records for auid 4294967295 with ausearch. This resulted in all records rather than the one I wanted. My query was something like this:

ausearch -ul 4294967295 -if ./audit.log

Where audit.log had the following event

type=USER_AUTH msg=audit(1258740386.638:288): user pid=28360 uid=500 auid=500 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=failed'
Comment 4 Steve Grubb 2011-02-02 13:33:49 UTC 
Fixed by upstream commit:
https://fedorahosted.org/audit/changeset/439
Comment 5 Steve Grubb 2011-02-04 18:55:11 UTC 
audit-2.0.6-1.el6 was built to fix this problem.
Comment 11 errata-xmlrpc 2011-05-19 13:55:37 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0653.html