166518 – auditctl inode auditing rules don't work

Bug 166518 - auditctl inode auditing rules don't work

Summary: auditctl inode auditing rules don't work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	audit
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Steve Grubb
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	156322
TreeView+	depends on / blocked

Reported:	2005-08-22 19:40 UTC by Steve Grubb
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:	RHEA-2005-530
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-10-05 12:40:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2005:530	0	qe-ready	SHIPPED_LIVE	audit enhancement update	2005-10-05 04:00:00 UTC

Description Steve Grubb 2005-08-22 19:40:15 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
Inode auditing rules get corrupted before sending to the kernel.

[root@discovery ~]# ls -i /etc/passwd
1562153 /etc/passwd
[root@discovery ~]# auditctl -a exit,always -F inode=1562153
[root@discovery ~]# auditctl -l
AUDIT_LIST: exit,always inode=0 syscall=all
File system watches not supported

The inode number gets changed to 0.

Version-Release number of selected component (if applicable):
audit-1.0.1-2

How reproducible:
Always

Steps to Reproduce:
1. See description

Additional info:

Comment 1 Steve Grubb 2005-08-22 19:42:21 UTC

This bug may also affect rules with the following fields: exit, success,
devmajor, and devminor. Upgrade to version 1.0.3 is recommended solution.

Comment 2 Steve Grubb 2005-08-22 20:21:06 UTC

This bug needs to be fixed because the audit system doesn't work the way it is
documented. The man pages say that the user can set certain kinds of rules. It
turns out that they do not work because of the corruption. Adding to the U2
proposed list.

Comment 4 Andrius Benokraitis 2005-08-22 21:28:00 UTC

From Steve in an email:

You can pick values at random to test. The following shows the full extent of 
the issues. Try:

[root@discovery ~]# auditctl -a exit,always -F devmajor=15
[root@discovery ~]# auditctl -a exit,always -F devminor=30
[root@discovery ~]# auditctl -a exit,always -F success=50
[root@discovery ~]# auditctl -a exit,always -F exit=50
[root@discovery ~]# auditctl -a exit,always -F inode=50
[root@discovery ~]# auditctl -l
AUDIT_LIST: exit,always devmajor=0 syscall=all
AUDIT_LIST: exit,always devminor=0 syscall=all
AUDIT_LIST: exit,always success=0 syscall=all
AUDIT_LIST: exit,always exit=0 syscall=all
AUDIT_LIST: exit,always inode=0 syscall=all
File system watches not supported

You see, they all go to 0.

Comment 8 Red Hat Bugzilla 2005-10-05 10:56:22 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2005-530.html

Comment 9 Red Hat Bugzilla 2005-10-05 11:49:34 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2005-530.html

Comment 10 Red Hat Bugzilla 2005-10-05 12:40:16 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2005-530.html

Note You need to log in before you can comment on or make changes to this bug.