Bug 223864 - LSPP: Exceptions to expected audit behavior should be documented
LSPP: Exceptions to expected audit behavior should be documented
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
Brian Brock
Depends On:
Blocks: RHEL5LSPPCertTracker 227613
  Show dependency treegraph
Reported: 2007-01-22 15:05 EST by Kylene J Hall
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-05 17:36:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kylene J Hall 2007-01-22 15:05:07 EST
Description of problem:
There are several audit records that don't appear in the audit log as would be
expected by a system admin.  We think these should be documented, possibly in
the auditctl manpage or where ever you feel is appropriate.  Here are two bug
references where such cases were figured out:
* https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219214
* https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221663
Comment 1 Irina Boverman 2007-02-14 15:42:44 EST
per 2/12, Steve G. is evaluating alternatives.
Comment 2 Kylene J Hall 2007-02-14 17:26:26 EST
Let me know what you'd like me to do with this one.

Several syscalls when run in 32 bit mode on s390x are ORing 0x4900000000 (notice
that is too big for a 32 bit field) with the 4th audited argument.  Again, I
think this is could be happening at the glibc level because when I strace the
test the value has already been ORed.  However, I see the same result when I
change the test to call with syscall(__NR_###.

The syscalls I have observed this with include: fchownat, fgetxattr, fsetxattr,
getxattr, lgetxattr, lsetxattr, mknodat, mmap, mq_timedsendreceive, mremap,
openat, ptrace, renameat, setxattr, linkat.
Comment 3 Steve Grubb 2007-03-05 17:36:54 EST
This will be fixed by updating documentation in the configuration guide. Closing.

Note You need to log in before you can comment on or make changes to this bug.