Bug 231912 - Laus doesn't audit detach event
Summary: Laus doesn't audit detach event
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel
Version: 3.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bryn M. Reeves
QA Contact: Martin Jenner
URL:
Whiteboard:
Depends On:
Blocks: 231914
TreeView+ depends on / blocked
 
Reported: 2007-03-12 22:30 UTC by Matthew Booth
Modified: 2007-11-17 01:14 UTC (History)
2 users (show)

Fixed In Version: RHSA-2007-0436
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-11 17:59:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Patch against kernel 2.4.21-47.0.1.EL to add audit control events (5.96 KB, patch)
2007-03-12 22:40 UTC, Matthew Booth
no flags Details | Diff
Patch against kernel 2.4.21-47.0.1.EL to add audit control events (5.96 KB, patch)
2007-03-13 17:38 UTC, Matthew Booth
no flags Details | Diff
goto error -> goto err (6.48 KB, patch)
2007-03-16 17:18 UTC, Bryn M. Reeves
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0436 0 normal SHIPPED_LIVE Important: Updated kernel packages for Red Hat Enterprise Linux 3 Update 9 2007-06-08 00:03:57 UTC

Description Matthew Booth 2007-03-12 22:30:36 UTC
Description of problem:
An appropriately privilege user (CAP_SYS_ADMIN) can perform various control
actions on the audit system with an ioctl() on /dev/audit. One of these is the
ability to detach a process from the audit system. These control events are not
themselves audited. For the most part it is possible to work round this by
auditing ioctl calls on /dev/audit. However, for detach specifically and also
resume this does not work. This opens a severe hole in the ability of the audit
system to audit operations on itself.

Version-Release number of selected component (if applicable):
2.4.21-47.0.1.EL

How reproducible:
Always

Steps to Reproduce:
1. Create a program which detaches itself from laus by calling laus_detach().
2. Invoke the program.
  
Actual results:
There is no audit configuration which will audit this.

Expected results:
Should probably be audited by default.

Comment 1 Matthew Booth 2007-03-12 22:40:00 UTC
Created attachment 149877 [details]
Patch against kernel 2.4.21-47.0.1.EL to add audit control events

This patch adds a new event type for audit control events. The events are
generated for every attempted ioctl on /dev/audit. The event comprises:

* the ioctl request number
* the return code

The events are only generated based on a match in the filter policy. This means
that existing configurations will not receive these events. In fact, without
the corresponding laus userspace update, it is not possible to receive these
events. With the userspace update, receiving these events simply requires the
following line in filter.conf:

event audit-control = always;

Comment 7 Matthew Booth 2007-03-13 17:38:03 UTC
Created attachment 149955 [details]
Patch against kernel 2.4.21-47.0.1.EL to add audit control events

This is an NFC from the previous patch. It fixes a coding style problem found
by Brynn Reeves (spaces instead of a tab).

Comment 9 Steve Grubb 2007-03-16 13:35:30 UTC
Reviewed patch and have 1 comment:

+		error=-EPERM;

<snip>

+		goto error;

Might not be good to have a variable "error" and a label of "error". The label
could be error_exit, err, or something else that's unique.

Comment 10 Bryn M. Reeves 2007-03-16 17:18:18 UTC
Created attachment 150254 [details]
goto error -> goto err

Agreed. Attaching revised patch.

Comment 11 Ernie Petrides 2007-03-20 03:44:27 UTC
A fix for this problem has just been committed to the RHEL3 U9
patch pool this evening (in kernel version 2.4.21-47.7.EL).


Comment 14 Red Hat Bugzilla 2007-06-11 17:59:19 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0436.html


Comment 15 Issue Tracker 2007-06-12 09:00:23 UTC
Resolved. Closing ticket.

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 3.9'

This event sent from IssueTracker by jfautley 
 issue 116053


Note You need to log in before you can comment on or make changes to this bug.