Description of problem: An appropriately privilege user (CAP_SYS_ADMIN) can perform various control actions on the audit system with an ioctl() on /dev/audit. One of these is the ability to detach a process from the audit system. These control events are not themselves audited. For the most part it is possible to work round this by auditing ioctl calls on /dev/audit. However, for detach specifically and also resume this does not work. This opens a severe hole in the ability of the audit system to audit operations on itself. Version-Release number of selected component (if applicable): laus-0.1-70RHEL3 How reproducible: Always Steps to Reproduce: 1. Create a program which detaches itself from laus by calling laus_detach(). 2. Invoke the program. Actual results: There is no audit configuration which will audit this. Expected results: Should probably be audited by default. Additional info:
Created attachment 149880 [details] Patch against laus-0.1-70RHEL3 to add audit control events This patch adds the userspace handling for control events generated by the associated patch in BZ 231912. It also updates the appropriate man pages. The kernel patch adds a new event type for control events (ioctl()s on /dev/audit). The event consists of: * ioctl request number * ioctl return code It adds display code to pretty print the event in aucat and augrep. It also allows filtering on the event. To enable these events, the following line must be added to filter.conf: event audit-control = always; As this behaviour is expected and should be the norm, the patch adds this to default configuration file. Note that existing configurations which do not contain the above line will not see these events.
Created attachment 149884 [details] Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options) This patch obsoletes the previous patch. It adds the -e CONTROL option to augrep to allow filtering on control events. It also updates the augrep man page.
Created attachment 149886 [details] Utility to detach a program from laus This utility can be used to execute a program after detaching from laus. It is also a useful test for this bug. Execute the following on a RHEL 3 U8 system: laus_detach /bin/ls Check the audit logs. Note that there is nothing there. You can even try auditing all ioctls on /dev/audit by adding the following to filter.conf: tag "FOO" syscall ioctl = (is-auditdevice(arg0)); Note that this will audit most events, but not detach or resume. Apply the patch in this bug to laus, and the associated kernel patch. Add the following line to filter.conf: event audit-control = always; Rerun the test. Note that all control events are now audited.
Created attachment 149949 [details] Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options and old kernel fix) Laus will exit immediately if you try to configure an event which isn't recognised by the running kernel. This means that if a user updated to the new laus without a kernel update, or they just didn't reboot, laus would fail to start. This is an updated patch which causes startup not to fail if the audit-control event cannot be configured. All other events will continue to cause a failure.
Built laus-0.1-75RHEL3 for testing purposes.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0459.html
Resolved. Closing ticket and informing customer. Internal Status set to 'Resolved' Status set to: Closed by Tech Resolution set to: 'RHEL 3.9' This event sent from IssueTracker by jfautley issue 116050