Bug 231914 - Laus doesn't audit detach event
Summary: Laus doesn't audit detach event
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus
Version: 3.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Steve Grubb
QA Contact:
URL:
Whiteboard:
Depends On: 231912
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-12 23:05 UTC by Matthew Booth
Modified: 2007-11-17 01:14 UTC (History)
2 users (show)

Fixed In Version: RHBA-2007-0459
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-11 18:40:01 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Patch against laus-0.1-70RHEL3 to add audit control events (5.14 KB, patch)
2007-03-12 23:14 UTC, Matthew Booth
no flags Details | Diff
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options) (6.09 KB, patch)
2007-03-12 23:39 UTC, Matthew Booth
no flags Details | Diff
Utility to detach a program from laus (1.40 KB, text/x-csrc)
2007-03-12 23:46 UTC, Matthew Booth
no flags Details
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options and old kernel fix) (7.49 KB, patch)
2007-03-13 16:55 UTC, Matthew Booth
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0459 0 normal SHIPPED_LIVE laus bug fix update 2007-06-07 22:56:37 UTC

Description Matthew Booth 2007-03-12 23:05:11 UTC
Description of problem:
An appropriately privilege user (CAP_SYS_ADMIN) can perform various control
actions on the audit system with an ioctl() on /dev/audit. One of these is the
ability to detach a process from the audit system. These control events are not
themselves audited. For the most part it is possible to work round this by
auditing ioctl calls on /dev/audit. However, for detach specifically and also
resume this does not work. This opens a severe hole in the ability of the audit
system to audit operations on itself.

Version-Release number of selected component (if applicable):
laus-0.1-70RHEL3

How reproducible:
Always

Steps to Reproduce:
1. Create a program which detaches itself from laus by calling laus_detach().
2. Invoke the program.
  
Actual results:
There is no audit configuration which will audit this.

Expected results:
Should probably be audited by default.

Additional info:

Comment 1 Matthew Booth 2007-03-12 23:14:51 UTC
Created attachment 149880 [details]
Patch against laus-0.1-70RHEL3 to add audit control events

This patch adds the userspace handling for control events generated by the
associated patch in BZ 231912. It also updates the appropriate man pages.

The kernel patch adds a new event type for control events (ioctl()s on
/dev/audit). The event consists of:

* ioctl request number
* ioctl return code

It adds display code to pretty print the event in aucat and augrep. It also
allows filtering on the event. To enable these events, the following line must
be added to filter.conf:

event audit-control = always;

As this behaviour is expected and should be the norm, the patch adds this to
default configuration file. Note that existing configurations which do not
contain the above line will not see these events.

Comment 2 Matthew Booth 2007-03-12 23:39:35 UTC
Created attachment 149884 [details]
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options)

This patch obsoletes the previous patch. It adds the -e CONTROL option to
augrep to allow filtering on control events. It also updates the augrep man
page.

Comment 3 Matthew Booth 2007-03-12 23:46:28 UTC
Created attachment 149886 [details]
Utility to detach a program from laus

This utility can be used to execute a program after detaching from laus. It is
also a useful test for this bug. Execute the following on a RHEL 3 U8 system:

laus_detach /bin/ls

Check the audit logs. Note that there is nothing there. You can even try
auditing all ioctls on /dev/audit by adding the following to filter.conf:

tag "FOO"
syscall ioctl = (is-auditdevice(arg0));

Note that this will audit most events, but not detach or resume.

Apply the patch in this bug to laus, and the associated kernel patch. Add the
following line to filter.conf:

event audit-control = always;

Rerun the test. Note that all control events are now audited.

Comment 8 Matthew Booth 2007-03-13 16:55:16 UTC
Created attachment 149949 [details]
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options and old kernel fix)

Laus will exit immediately if you try to configure an event which isn't
recognised by the running kernel. This means that if a user updated to the new
laus without a kernel update, or they just didn't reboot, laus would fail to
start.

This is an updated patch which causes startup not to fail if the audit-control
event cannot be configured. All other events will continue to cause a failure.

Comment 11 Steve Grubb 2007-03-19 18:38:24 UTC
Built laus-0.1-75RHEL3 for testing purposes.

Comment 15 Red Hat Bugzilla 2007-06-11 18:40:13 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0459.html


Comment 16 Issue Tracker 2007-06-12 08:59:46 UTC
Resolved. Closing ticket and informing customer.

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 3.9'

This event sent from IssueTracker by jfautley 
 issue 116050


Note You need to log in before you can comment on or make changes to this bug.