Description of problem: When I add an audit watch on a file with no arguments, I get perm=rwxa but on ia64, changes to the mode and context aren't audited. I get audit records on i386 and x86_64. Version-Release number of selected component (if applicable): I'm running the .80 LSPP kernel How reproducible: very Steps to Reproduce: 1. touch foo 2. auditctl -w `pwd`/foo 3. chmod 666 foo 4. chcon -l Secret foo Actual results: On ia64, I only see an audit record for adding the watch, not for the chmod or the chcon. Expected results: Should see audit records for the chmod and chcon. Additional info: I see the expected audit records on i386 and x86_64 systems.
Created attachment 154573 [details] proposed patch for syscall match check The check is wrong, AUDIT_BITMASK_SIZE is 64, providing space for 2048 syscalls in 64 * 32bit integers. The comparison only supports 256 syscalls, and silently returns "no match" for valid higher-numbered syscalls. This breaks class-based audit for all syscalls on ia64 since on that architecture syscall numbers start at 1024. It breaks some syscall audit on other architectures also, for example __NR_fchmodat is 306 on x86. I'd suggest adding a printk() in addition to returning 0 - you don't want to silently ignore unknown or unsupported syscalls when auditing.
I gave Klaus's patch a quick test on ia64 and it solves the problem I was seeing. Thanks Klaus!
The patch should be sent to linux-audit mail list for review and pushing upstream.
Patch posted to linux-audit mailing list: https://www.redhat.com/archives/linux-audit/2007-May/msg00029.html https://www.redhat.com/archives/linux-audit/2007-May/msg00030.html
This request was evaluated by Red Hat Kernel Team for inclusion in a Red Hat Enterprise Linux maintenance release, and has moved to bugzilla status POST.
in 2.6.18-27.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
A fix for this issue has been included in the packages contained in the beta (RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1. Please verify that your issue is fixed. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED.
This problem appears to be fixed in the RHEL5 U1 Beta. In verifying the fix I noticed that ausearch is getting a segfault on my system. If I don't find an existing bz I'll open a new one for that.
Linda, audit packages before 1.5.5-5 are known to segfault on acct fields and there is already a bz for that. Please check that you are testing with snap 1 audit package 1.5.5-5. Thanks.
Steve, thanks for the info. I'm running 1.5.5-4 so I'll try later on a snap1 system.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0959.html