From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.2) Gecko/20040301 Description of problem: Disable auditing of 32b processes through the proc/sys/dev/audit interface. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Need to add interface to disable 32b audit support on ia64 2. 3. Additional info:
A clarification - the requirement for the evaluation is that there needs to be an interface to disable *execution* of 32bit binaries on ia64 in the evaluated configuration. This is intended to be a runtime switch in /proc/sys/dev/audit/ with 32bit execution being enabled by default. The reason for this change is that the audit code on the ia64 platform has several known issues which prevent correct auditing of system calls made by 32bit binaries. Having a system call interface available which would let users bypass the audit subsystem would be unacceptable for the evaluation. Patches to fix most of the known issues are available, but the resources to properly verify the correctness of the audit records to EAL3 requirements are not, so the 32bit mode must be disabled for the evaluated configuration for processes that would need to be audited. Note that the sysadmin can configure unaudited processes (i.e. a database running as a daemon service) that can then still run in 32bit mode in the evaluated configuration. Also, the evaluated configuration only needs the *capability* to provide reliable audit, but the admin is permitted to disable audit completely while remaining in an evaluated configuration.
A fix for this problem has just been committed to the RHEL3 U4 patch pool this evening (in kernel version 2.4.21-20.6.EL).
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-550.html