Bug 695605

Summary: audisp-remote calls bind() incorrectly
Product: Red Hat Enterprise Linux 6 Reporter: Eduard Benes <ebenes>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: high    
Version: 6.1CC: mitr, sgrubb, syeghiay, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: audit-2.1-3.el6 Doc Type: Bug Fix
Doc Text:
Previously if an audispd plugin was restarted, the plugin was not marked as active. Consequently, the remote logging plugin (audisp-remote) was unable to bind to a privileged port on reconnect because all privileges had been dropped. In this updated package, audispd plugins are marked as active after being restarted, and the audisp-remote plugin functions as expected.
 Story Points: ---
Clone Of: 695419 Environment:
Last Closed: 2011-05-19 13:55:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 695419    
Bug Blocks: 584498, 682670, 846801, 846802    

Description Eduard Benes 2011-04-12 07:18:34 UTC 
+++ This bug was initially created as a clone of Bug #695419 +++

Description of problem:

audisp-remote does
>		memset (&address, 0, sizeof(address));
>		address.sin_family = htons(AF_INET);
>		address.sin_port = htons(config.local_port);
>		address.sin_addr.s_addr = htonl(INADDR_ANY);
which shows in strace as

> bind(3, {sa_family=0x200 /* AF_??? */, sa_data="\0<\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0

For some reason the call still succeeds, but a correct invocation would not call htons on AF_INET.

--- Additional comment from sgrubb on 2011-04-11 13:26:40 EDT ---

It works because the audit daemon also has a matching mistake. Fixed in revision 505.

--- Additional comment from tmraz on 2011-04-12 02:33:47 EDT ---

And is the daemon really listening on IPv4 port in this case or not?
Comment 2 Steve Grubb 2011-04-13 13:31:18 UTC 
Two other issues that needs to be addressed at the same time: 

1) capabilities are completely dropped. Any reconnect due to the server going down will fail if local_port is < 1024.

2) When audispd restarts a plugin, it does not mark the plugin as active. This means that even though its running, events will not be forwarded to the plugin.
Comment 4 Steve Grubb 2011-04-13 14:07:45 UTC 
audit-2.1-3.el6 was built to resolve this problem.
Comment 11 errata-xmlrpc 2011-05-19 13:55:40 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0653.html