Bug 166518 - auditctl inode auditing rules don't work
auditctl inode auditing rules don't work
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: audit (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
Brian Brock
:
Depends On:
Blocks: 156322
  Show dependency treegraph
 
Reported: 2005-08-22 15:40 EDT by Steve Grubb
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHEA-2005-530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-05 08:40:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2005-08-22 15:40:15 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
Inode auditing rules get corrupted before sending to the kernel.

[root@discovery ~]# ls -i /etc/passwd
1562153 /etc/passwd
[root@discovery ~]# auditctl -a exit,always -F inode=1562153
[root@discovery ~]# auditctl -l
AUDIT_LIST: exit,always inode=0 syscall=all
File system watches not supported

The inode number gets changed to 0.

Version-Release number of selected component (if applicable):
audit-1.0.1-2

How reproducible:
Always

Steps to Reproduce:
1. See description

Additional info:
Comment 1 Steve Grubb 2005-08-22 15:42:21 EDT
This bug may also affect rules with the following fields: exit, success,
devmajor, and devminor. Upgrade to version 1.0.3 is recommended solution.
Comment 2 Steve Grubb 2005-08-22 16:21:06 EDT
This bug needs to be fixed because the audit system doesn't work the way it is
documented. The man pages say that the user can set certain kinds of rules. It
turns out that they do not work because of the corruption. Adding to the U2
proposed list.
Comment 4 Andrius Benokraitis 2005-08-22 17:28:00 EDT
From Steve in an email:

You can pick values at random to test. The following shows the full extent of 
the issues. Try:

[root@discovery ~]# auditctl -a exit,always -F devmajor=15
[root@discovery ~]# auditctl -a exit,always -F devminor=30
[root@discovery ~]# auditctl -a exit,always -F success=50
[root@discovery ~]# auditctl -a exit,always -F exit=50
[root@discovery ~]# auditctl -a exit,always -F inode=50
[root@discovery ~]# auditctl -l
AUDIT_LIST: exit,always devmajor=0 syscall=all
AUDIT_LIST: exit,always devminor=0 syscall=all
AUDIT_LIST: exit,always success=0 syscall=all
AUDIT_LIST: exit,always exit=0 syscall=all
AUDIT_LIST: exit,always inode=0 syscall=all
File system watches not supported

You see, they all go to 0.
Comment 8 Red Hat Bugzilla 2005-10-05 06:56:22 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2005-530.html
Comment 9 Red Hat Bugzilla 2005-10-05 07:49:34 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2005-530.html
Comment 10 Red Hat Bugzilla 2005-10-05 08:40:16 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2005-530.html

Note You need to log in before you can comment on or make changes to this bug.