Bug 137870 - (IT_57746) LAUS does not analyze parameters of fcntl() or flock() system calls
LAUS does not analyze parameters of fcntl() or flock() system calls
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus (Show other bugs)
3.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Martuccelli
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-02 08:56 EST by Daniel Berrange
Modified: 2015-01-07 19:08 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-03 09:59:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Berrange 2004-11-02 08:56:47 EST
User-Agent:       
Build Identifier: 

When using LAUS as a debugging / investigative tool, the was a need to audit all
operations on files matching the name /etc/mtab*. In particular, open, link,
fnctl and flock system calls were of great importance. To achieve this a filter
conf was creating looking like 

predicate is-mtab = prefix("/etc/mtab");

set file-open = {
  "open", "fcntl", "flock", "stat", "stat64", "read", "write", "dup", "dup2"
};

tag "FILE_access"
syscall @file-open = is-mtab(arg0);

LAUS was then configured to turn on auditing system wide with 

  echo 1 > /proc/sys/dev/audit/attach-all

While, this successfully captured most system calls requested, it missed off all
occurrances of fcntl() and flock(). At the same time it printed messages in the logs

kernel: Audit daemon registered (process 27009)
kernel: Filter target 0x0 not known or not supported in this context
last message repeated 4 times
kernel: Audit daemon registered (process 27072)
kernel: Filter target 0x0 not known or not supported in this context
last message repeated 30 times
kernel: Filter target 0x0 not known or not supported in this context
last message repeated 173 times
last message repeated 28 times

When the 'fcntl()' and 'flock()' calls were removed from the audit set these
messages go away. Looking in the kernel source for it would appear that these
two system calls do not have their arguments analyzed. 

Reproducible: Always
Steps to Reproduce:
1. Try and filter recording of flock() and fcntl() system calls based on
filename using prefix() function
2.
3.

Actual Results:  
Messages thrown in system logs, no use of flock() and fcntl() recorded

Expected Results:  
flock() and fcntl() recorded as matching the predicates

If LAUS were extended to analyze the arguments of every single system call in
the kernel, it will be much more valueable as a system wide debugging tool
Comment 1 Peter Martuccelli 2004-11-02 11:38:14 EST
Extending LAuS support to all of the system calls would increase the
functionality of the product so it could be used for system wide
monitoring.  LAuS implemented support for the system calls that were
required for EAL3 certification.  We have added additional system
calls over the last two updates as requested by @Sec and other users
involved in certification.

Moving ahead, we should associated this work with a feature request as
it represents an extension of LAuS's functionality.

Note You need to log in before you can comment on or make changes to this bug.