Bug 1259765 - BUG: Audit ANOM_LINK event weirdness
BUG: Audit ANOM_LINK event weirdness
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
Unspecified Linux
medium Severity low
: ---
: ---
Assigned To: Paul Moore
Fedora Extras Quality Assurance
: FutureFeature, Reproducer
Depends On:
  Show dependency treegraph
Reported: 2015-09-03 09:44 EDT by Steve Grubb
Modified: 2016-06-02 16:11 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-06-02 16:11:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2015-09-03 09:44:36 EDT
Description of problem:
When experimenting with the ANOM_LINK event creation, it was found that the proctitle record seemed to have the exe of the ppid instead of the pid's.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
As a normal user:
cd /tmp
ln -s /bin/passwd my-passwd

Then as root:
ausearch --start recent -m anom_link -i
  verify you have nothing
chown lp /tmp/my-passwd       <- but use tab completion after /tmp/m
  this will fail
ausearch --start recent -m anom_link -i | grep PROCTITLE

Actual results:
type=PROCTITLE msg=audit(08/27/2015 19:22:40.823:1246) : proctitle=-bash 
type=PROCTITLE msg=audit(08/27/2015 19:22:40.824:1247) : proctitle=su - root 
type=PROCTITLE msg=audit(08/27/2015 19:22:40.824:1248) : proctitle=su - root 
type=PROCTITLE msg=audit(08/27/2015 19:22:43.489:1249) : proctitle=chown lp /tmp/my-passwd 

Expected results:
I would not expect su to be involved.
Comment 1 Justin M. Forbes 2015-10-20 15:25:36 EDT
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs.

Fedora 22 has now been rebased to 4.2.3-200.fc22.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23.

If you experience different issues, please open a new bug report for those.
Comment 2 Paul Moore 2015-10-20 17:36:10 EDT
Moving to Rawhide to avoid Fedora MASS BUG UPDATEs.
Comment 3 Paul Moore 2016-06-02 16:11:20 EDT
I'm going to mark this as CLOSED/DEFERRED since we are tracking upstream bugs on GitHub now.

* https://github.com/linux-audit/audit-kernel/issues/15

Note You need to log in before you can comment on or make changes to this bug.