Description of problem:
An appropriately privilege user (CAP_SYS_ADMIN) can perform various control
actions on the audit system with an ioctl() on /dev/audit. One of these is the
ability to detach a process from the audit system. These control events are not
themselves audited. For the most part it is possible to work round this by
auditing ioctl calls on /dev/audit. However, for detach specifically and also
resume this does not work. This opens a severe hole in the ability of the audit
system to audit operations on itself.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a program which detaches itself from laus by calling laus_detach().
2. Invoke the program.
There is no audit configuration which will audit this.
Should probably be audited by default.
Created attachment 149880 [details]
Patch against laus-0.1-70RHEL3 to add audit control events
This patch adds the userspace handling for control events generated by the
associated patch in BZ 231912. It also updates the appropriate man pages.
The kernel patch adds a new event type for control events (ioctl()s on
/dev/audit). The event consists of:
* ioctl request number
* ioctl return code
It adds display code to pretty print the event in aucat and augrep. It also
allows filtering on the event. To enable these events, the following line must
be added to filter.conf:
event audit-control = always;
As this behaviour is expected and should be the norm, the patch adds this to
default configuration file. Note that existing configurations which do not
contain the above line will not see these events.
Created attachment 149884 [details]
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options)
This patch obsoletes the previous patch. It adds the -e CONTROL option to
augrep to allow filtering on control events. It also updates the augrep man
Created attachment 149886 [details]
Utility to detach a program from laus
This utility can be used to execute a program after detaching from laus. It is
also a useful test for this bug. Execute the following on a RHEL 3 U8 system:
Check the audit logs. Note that there is nothing there. You can even try
auditing all ioctls on /dev/audit by adding the following to filter.conf:
syscall ioctl = (is-auditdevice(arg0));
Note that this will audit most events, but not detach or resume.
Apply the patch in this bug to laus, and the associated kernel patch. Add the
following line to filter.conf:
event audit-control = always;
Rerun the test. Note that all control events are now audited.
Created attachment 149949 [details]
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options and old kernel fix)
Laus will exit immediately if you try to configure an event which isn't
recognised by the running kernel. This means that if a user updated to the new
laus without a kernel update, or they just didn't reboot, laus would fail to
This is an updated patch which causes startup not to fail if the audit-control
event cannot be configured. All other events will continue to cause a failure.
Built laus-0.1-75RHEL3 for testing purposes.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
Resolved. Closing ticket and informing customer.
Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 3.9'
This event sent from IssueTracker by jfautley