Red Hat Bugzilla – Bug 174865
DAEMON_CONFIG audit record isn't right
Last modified: 2007-11-30 17:07:21 EST
Description of problem:
There are actually two problems with the DAEMON_CONFIG record but they're
in the same code so I'm just filing one bug. The main problem is that
there is no timestamp on this record. This problem exists at least
up until 1.0.12. The minor problem is that ausearch can't find the
record. This is fixed in 1.0.12 (perhaps earlier) but is broken in
1.0.4, so we need a fix to that version.
Patches are included. The timestamp fix is awkward (replicates most of
send_audit_event, even some that's not necessary because it won't ever
be the first message, and there's a malloc failure case that's not really
handled) but I'm providing it as a starting point that you will probably
want to improve on. The ausearch fix to auditd is the same as is in
Version-Release number of selected component (if applicable):
RHEL4U2 with audit 1.0.4+auditctl fix
Reproduces every time
Steps to Reproduce:
1. start the auditd
2. run /etc/init.d/auditd reload
3. look in the audit.log and see that the record is there but no timestamp
4. run ausearch -m DAEMON_CONFIG and ausearch will find no match
type=DAEMON_CONFIG msg=config changed, auid=2063 pid=23485 res=success
type=DAEMON_CONFIG msg=audit(1133562160.429:649) config changed, auid=2063,
Created attachment 121788 [details]
I forgot to mention that the example in the Actual results is from 1.0.12.
The 1.0.4 version has the auid and pid field reversed (causes ausearch to
not find the record) and no res= field, but Steve will recognize that.
Created attachment 121992 [details]
reworked patch isolating the time stamp issue
This is the proposed patch to fix the time stamp issue.
Created attachment 121995 [details]
patch isolating the switched parameters
This issue is on Red Hat Engineering's list of planned work items
for the upcoming Red Hat Enterprise Linux 4.4 release. Engineering
resources have been assigned and barring unforeseen circumstances, Red
Hat intends to include this item in the 4.4 release.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.