From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 Description of problem: The audit module "watch" functionality does not appear to be working and gives error messages when attempting to enable it. This is a default FC4 installation on an x86_64 system. No updates as of yet, although at the time of this sumittal, no updates were available for either the kernel or audit packages. here is a list of the commands with screen io: [root@fc4-test audit]# service auditd start Starting auditd: [ OK ] [root@fc4-test audit]# auditctl -D No rules [root@fc4-test audit]# auditctl -l No rules Error sending netlink packet (Invalid argument) Error sending list request (Invalid argument) [root@fc4-test audit]# auditctl -w /etc/shadow Error sending netlink packet (Invalid argument) Error sending watch insert request (Invalid argument) Error sending watch to kernel ------ Here is the audit.log file (which was cleared before the above commands): /var/log/audit/audit.log type=DAEMON_START msg=audit(1119444982.764:768) auditd start, ver=0.8.2, format=raw, uid=4294967295, auditd pid=4843 type=CONFIG_CHANGE msg=audit(1119444982.967:13083554): audit_enabled=1 old=1 by auid=4294967295 type=CONFIG_CHANGE msg=audit(1119444983.174:13083610): audit_backlog_limit=256 old=256 by auid=4294967295 type=SELINUX_ERR msg=audit(1119445018.854:13089384): SELinux: unrecognized netlink message type=1009 for sclass=49 type=SYSCALL msg=audit(1119445018.854:13089384): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fffff9861f0 a2=10 a3=0 items=0 pid=4852 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" type=SOCKADDR msg=audit(1119445018.854:13089384): saddr=100000000000000000000000 type=SOCKADDR msg=audit(1119445034.692:13092295): saddr=100000000000000000000000 type=SYSCALL msg=audit(1119445034.692:13092295): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fffffdc58b0 a2=34 a3=0 items=0 pid=4856 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" type=SELINUX_ERR msg=audit(1119445034.692:13092295): SELinux: unrecognized netlink message type=1007 for sclass=49 t Not shown is the attempt to access the /etc/shadow file from a normal system user. The changeover to that user is logged into audit.log, but no mention of the /etc/shadow access attempt (and failure) is logged. SELinux is currently enabled with a targeted policy. Version-Release number of selected component (if applicable): audit-0.8.2-1 How reproducible: Always Steps to Reproduce: 1. service auditd start (if stopped) 2. auditctl -D 3. auditctl -w /etc/shadow 4. change to local system user and attempt to open /etc/shadow 5. view log file Actual Results: See Description for details. Expected Results: Some indication that the watch was set and that an attempt to open the /etc/shadow file was logged in /var/log/audit/audit.log Additional info: I'm submitting this bug as a Security issue, since it directly relates to intrusion detection. However, to my knowledge it does not open up any specific vulnerability.
This is expected/known. The kernel currently distributed does not support this functionality. It is currently under development and review. It is likely to be a few weeks before it is in a FC4 kernel. auditctl has the future functionality so that one day it all magically works.
I'm changing the status from security to normal as it is functionality that is waiting for the kernel to catch up. New audit 0.9.19 packages were put into FC4 testing and rawhide which gives better error messages regarding file system watches. Please give it a try. File system watch code has been presented on lkml, so we are slightly closer to putting that capability into fedora kernels, but its not there yet.
We are still waiting for the kernel to catch up with user space.
Mass update to all FC4 bugs: An update has been released (2.6.13-1.1526_FC4) which rebases to a new upstream kernel (2.6.13.2). As there were ~3500 changes upstream between this and the previous kernel, it's possible your bug has been fixed already. Please retest with this update, and update this bug if necessary. Thanks.
2.6.14-1.1637_FC4 has been released as an update for FC4. Please retest with this update, as a large amount of code has been changed in this release, which may have fixed your problem. Thank you.
This is a mass-update to all currently open kernel bugs. A new kernel update has been released (Version: 2.6.15-1.1830_FC4) based upon a new upstream kernel release. Please retest against this new kernel, as a large number of patches go into each upstream release, possibly including changes that may address this problem. This bug has been placed in NEEDINFO_REPORTER state. Due to the large volume of inactive bugs in bugzilla, if this bug is still in this state in two weeks time, it will be closed. Should this bug still be relevant after this period, the reporter can reopen the bug at any time. Any other users on the Cc: list of this bug can request that the bug be reopened by adding a comment to the bug. If this bug is a problem preventing you from installing the release this version is filed against, please see bug 169613. Thank you.
Closing per previous comment.