Bug 231912 - Laus doesn't audit detach event
Laus doesn't audit detach event
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bryn M. Reeves
Martin Jenner
Depends On:
Blocks: 231914
  Show dependency treegraph
Reported: 2007-03-12 18:30 EDT by Matthew Booth
Modified: 2007-11-16 20:14 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2007-0436
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-06-11 13:59:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch against kernel 2.4.21-47.0.1.EL to add audit control events (5.96 KB, patch)
2007-03-12 18:40 EDT, Matthew Booth
no flags Details | Diff
Patch against kernel 2.4.21-47.0.1.EL to add audit control events (5.96 KB, patch)
2007-03-13 13:38 EDT, Matthew Booth
no flags Details | Diff
goto error -> goto err (6.48 KB, patch)
2007-03-16 13:18 EDT, Bryn M. Reeves
no flags Details | Diff

  None (edit)
Description Matthew Booth 2007-03-12 18:30:36 EDT
Description of problem:
An appropriately privilege user (CAP_SYS_ADMIN) can perform various control
actions on the audit system with an ioctl() on /dev/audit. One of these is the
ability to detach a process from the audit system. These control events are not
themselves audited. For the most part it is possible to work round this by
auditing ioctl calls on /dev/audit. However, for detach specifically and also
resume this does not work. This opens a severe hole in the ability of the audit
system to audit operations on itself.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a program which detaches itself from laus by calling laus_detach().
2. Invoke the program.
Actual results:
There is no audit configuration which will audit this.

Expected results:
Should probably be audited by default.
Comment 1 Matthew Booth 2007-03-12 18:40:00 EDT
Created attachment 149877 [details]
Patch against kernel 2.4.21-47.0.1.EL to add audit control events

This patch adds a new event type for audit control events. The events are
generated for every attempted ioctl on /dev/audit. The event comprises:

* the ioctl request number
* the return code

The events are only generated based on a match in the filter policy. This means
that existing configurations will not receive these events. In fact, without
the corresponding laus userspace update, it is not possible to receive these
events. With the userspace update, receiving these events simply requires the
following line in filter.conf:

event audit-control = always;
Comment 7 Matthew Booth 2007-03-13 13:38:03 EDT
Created attachment 149955 [details]
Patch against kernel 2.4.21-47.0.1.EL to add audit control events

This is an NFC from the previous patch. It fixes a coding style problem found
by Brynn Reeves (spaces instead of a tab).
Comment 9 Steve Grubb 2007-03-16 09:35:30 EDT
Reviewed patch and have 1 comment:

+		error=-EPERM;


+		goto error;

Might not be good to have a variable "error" and a label of "error". The label
could be error_exit, err, or something else that's unique.
Comment 10 Bryn M. Reeves 2007-03-16 13:18:18 EDT
Created attachment 150254 [details]
goto error -> goto err

Agreed. Attaching revised patch.
Comment 11 Ernie Petrides 2007-03-19 23:44:27 EDT
A fix for this problem has just been committed to the RHEL3 U9
patch pool this evening (in kernel version 2.4.21-47.7.EL).
Comment 14 Red Hat Bugzilla 2007-06-11 13:59:19 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 15 Issue Tracker 2007-06-12 05:00:23 EDT
Resolved. Closing ticket.

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 3.9'

This event sent from IssueTracker by jfautley 
 issue 116053

Note You need to log in before you can comment on or make changes to this bug.