Red Hat Bugzilla – Bug 1259765
BUG: Audit ANOM_LINK event weirdness
Last modified: 2016-06-02 16:11:20 EDT
Description of problem:
When experimenting with the ANOM_LINK event creation, it was found that the proctitle record seemed to have the exe of the ppid instead of the pid's.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
As a normal user:
ln -s /bin/passwd my-passwd
Then as root:
ausearch --start recent -m anom_link -i
verify you have nothing
chown lp /tmp/my-passwd <- but use tab completion after /tmp/m
this will fail
ausearch --start recent -m anom_link -i | grep PROCTITLE
type=PROCTITLE msg=audit(08/27/2015 19:22:40.823:1246) : proctitle=-bash
type=PROCTITLE msg=audit(08/27/2015 19:22:40.824:1247) : proctitle=su - root
type=PROCTITLE msg=audit(08/27/2015 19:22:40.824:1248) : proctitle=su - root
type=PROCTITLE msg=audit(08/27/2015 19:22:43.489:1249) : proctitle=chown lp /tmp/my-passwd
I would not expect su to be involved.
*********** MASS BUG UPDATE **************
We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs.
Fedora 22 has now been rebased to 4.2.3-200.fc22. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.
If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23.
If you experience different issues, please open a new bug report for those.
Moving to Rawhide to avoid Fedora MASS BUG UPDATEs.
I'm going to mark this as CLOSED/DEFERRED since we are tracking upstream bugs on GitHub now.