Bug 239887 - LSPP: watches using -p omit some syscalls
LSPP: watches using -p omit some syscalls
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Eric Paris
Martin Jenner
: OtherQA
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
Reported: 2007-05-11 17:52 EDT by Linda Knippers
Modified: 2009-06-19 13:03 EDT (History)
7 users (show)

See Also:
Fixed In Version: RHBA-2007-0959
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 14:49:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed patch for syscall match check (451 bytes, patch)
2007-05-11 18:14 EDT, Klaus Weidner
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0959 normal SHIPPED_LIVE Updated kernel packages for Red Hat Enterprise Linux 5 Update 1 2007-11-07 19:47:37 EST

  None (edit)
Description Linda Knippers 2007-05-11 17:52:00 EDT
Description of problem:
When I add an audit watch on a file with no arguments, I get perm=rwxa
but on ia64, changes to the mode and context aren't audited.  I
get audit records on i386 and x86_64.

Version-Release number of selected component (if applicable):
I'm running the .80 LSPP kernel

How reproducible:

Steps to Reproduce:
1. touch foo
2. auditctl -w `pwd`/foo
3. chmod 666 foo
4. chcon -l Secret foo
Actual results:
On ia64, I only see an audit record for adding the watch, not for
the chmod or the chcon.  

Expected results:
Should see audit records for the chmod and chcon.

Additional info:
I see the expected audit records on i386 and x86_64 systems.
Comment 1 Klaus Weidner 2007-05-11 18:14:21 EDT
Created attachment 154573 [details]
proposed patch for syscall match check

The check is wrong, AUDIT_BITMASK_SIZE is 64, providing space for 2048 syscalls
in 64 * 32bit integers. The comparison only supports 256 syscalls, and silently
returns "no match" for valid higher-numbered syscalls.

This breaks class-based audit for all syscalls on ia64 since on that
architecture syscall numbers start at 1024. 

It breaks some syscall audit on other architectures also, for example
__NR_fchmodat is 306 on x86.

I'd suggest adding a printk() in addition to returning 0 - you don't want to
silently ignore unknown or unsupported syscalls when auditing.
Comment 2 Linda Knippers 2007-05-11 19:17:02 EDT
I gave Klaus's patch a quick test on ia64 and it solves the problem I was
seeing.  Thanks Klaus!
Comment 3 Steve Grubb 2007-05-14 10:14:57 EDT
The patch should be sent to linux-audit mail list for review and pushing upstream.
Comment 5 RHEL Product and Program Management 2007-06-04 17:21:51 EDT
This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.
Comment 6 Don Zickus 2007-06-15 20:31:05 EDT
in 2.6.18-27.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 8 John Poelstra 2007-08-14 15:46:23 EDT
A fix for this issue has been included in the packages contained in the beta
(RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1.  Please
verify that your issue is fixed.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to ASSIGNED.
Comment 9 Linda Knippers 2007-08-15 11:14:27 EDT
This problem appears to be fixed in the RHEL5 U1 Beta.  In verifying
the fix I noticed that ausearch is getting a segfault on my system.
If I don't find an existing bz I'll open a new one for that.
Comment 10 Steve Grubb 2007-08-15 11:18:56 EDT
Linda, audit packages before 1.5.5-5 are known to segfault on acct fields and
there is already a bz for that. Please check that you are testing with snap 1
audit package 1.5.5-5. Thanks.
Comment 11 Linda Knippers 2007-08-15 11:24:38 EDT
Steve, thanks for the info.  I'm running 1.5.5-4 so I'll try later on
a snap1 system.  

Comment 15 errata-xmlrpc 2007-11-07 14:49:14 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.