Red Hat Bugzilla – Bug 161322
auditctl watch function does not work
Last modified: 2015-01-04 17:20:25 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4
Description of problem:
The audit module "watch" functionality does not appear to be working and gives error messages when attempting to enable it.
This is a default FC4 installation on an x86_64 system. No updates as of yet, although at the time of this sumittal, no updates were available for either the kernel or audit packages.
here is a list of the commands with screen io:
[root@fc4-test audit]# service auditd start
Starting auditd: [ OK ]
[root@fc4-test audit]# auditctl -D
[root@fc4-test audit]# auditctl -l
Error sending netlink packet (Invalid argument)
Error sending list request (Invalid argument)
[root@fc4-test audit]# auditctl -w /etc/shadow
Error sending netlink packet (Invalid argument)
Error sending watch insert request (Invalid argument)
Error sending watch to kernel
Here is the audit.log file (which was cleared before the above commands):
type=DAEMON_START msg=audit(1119444982.764:768) auditd start, ver=0.8.2, format=raw, uid=4294967295, auditd pid=4843
type=CONFIG_CHANGE msg=audit(1119444982.967:13083554): audit_enabled=1 old=1 by auid=4294967295
type=CONFIG_CHANGE msg=audit(1119444983.174:13083610): audit_backlog_limit=256 old=256 by auid=4294967295
type=SELINUX_ERR msg=audit(1119445018.854:13089384): SELinux: unrecognized netlink message type=1009 for sclass=49
type=SYSCALL msg=audit(1119445018.854:13089384): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fffff9861f0 a2=10 a3=0 items=0 pid=4852 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl"
type=SOCKADDR msg=audit(1119445018.854:13089384): saddr=100000000000000000000000
type=SOCKADDR msg=audit(1119445034.692:13092295): saddr=100000000000000000000000
type=SYSCALL msg=audit(1119445034.692:13092295): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fffffdc58b0 a2=34 a3=0 items=0 pid=4856 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl"
type=SELINUX_ERR msg=audit(1119445034.692:13092295): SELinux: unrecognized netlink message type=1007 for sclass=49
Not shown is the attempt to access the /etc/shadow file from a normal system user. The changeover to that user is logged into audit.log, but no mention of the /etc/shadow access attempt (and failure) is logged.
SELinux is currently enabled with a targeted policy.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. service auditd start (if stopped)
2. auditctl -D
3. auditctl -w /etc/shadow
4. change to local system user and attempt to open /etc/shadow
5. view log file
Actual Results: See Description for details.
Expected Results: Some indication that the watch was set and that an attempt to open the /etc/shadow file was logged in /var/log/audit/audit.log
I'm submitting this bug as a Security issue, since it directly relates to intrusion detection. However, to my knowledge it does not open up any specific vulnerability.
This is expected/known. The kernel currently distributed does not support this
functionality. It is currently under development and review. It is likely to be
a few weeks before it is in a FC4 kernel. auditctl has the future functionality
so that one day it all magically works.
I'm changing the status from security to normal as it is functionality that is
waiting for the kernel to catch up. New audit 0.9.19 packages were put into FC4
testing and rawhide which gives better error messages regarding file system
watches. Please give it a try. File system watch code has been presented on
lkml, so we are slightly closer to putting that capability into fedora kernels,
but its not there yet.
We are still waiting for the kernel to catch up with user space.
Mass update to all FC4 bugs:
An update has been released (2.6.13-1.1526_FC4) which rebases to a new upstream
kernel (18.104.22.168). As there were ~3500 changes upstream between this and the
previous kernel, it's possible your bug has been fixed already.
Please retest with this update, and update this bug if necessary.
2.6.14-1.1637_FC4 has been released as an update for FC4.
Please retest with this update, as a large amount of code has been changed in
this release, which may have fixed your problem.
This is a mass-update to all currently open kernel bugs.
A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.
Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.
This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.
Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.
If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.
Closing per previous comment.