Bug 223864 - LSPP: Exceptions to expected audit behavior should be documented
Summary: LSPP: Exceptions to expected audit behavior should be documented
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit   
(Show other bugs)
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Steve Grubb
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: RHEL5LSPPCertTracker 227613
TreeView+ depends on / blocked
 
Reported: 2007-01-22 20:05 UTC by Kylene J Hall
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-05 22:36:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Kylene J Hall 2007-01-22 20:05:07 UTC
Description of problem:
There are several audit records that don't appear in the audit log as would be
expected by a system admin.  We think these should be documented, possibly in
the auditctl manpage or where ever you feel is appropriate.  Here are two bug
references where such cases were figured out:
* https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219214
* https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221663

Comment 1 Irina Boverman 2007-02-14 20:42:44 UTC
per 2/12, Steve G. is evaluating alternatives.

Comment 2 Kylene J Hall 2007-02-14 22:26:26 UTC
Let me know what you'd like me to do with this one.

Several syscalls when run in 32 bit mode on s390x are ORing 0x4900000000 (notice
that is too big for a 32 bit field) with the 4th audited argument.  Again, I
think this is could be happening at the glibc level because when I strace the
test the value has already been ORed.  However, I see the same result when I
change the test to call with syscall(__NR_###.

The syscalls I have observed this with include: fchownat, fgetxattr, fsetxattr,
getxattr, lgetxattr, lsetxattr, mknodat, mmap, mq_timedsendreceive, mremap,
openat, ptrace, renameat, setxattr, linkat.

Comment 3 Steve Grubb 2007-03-05 22:36:54 UTC
This will be fixed by updating documentation in the configuration guide. Closing.


Note You need to log in before you can comment on or make changes to this bug.