Red Hat Bugzilla – Bug 239887
LSPP: watches using -p omit some syscalls
Last modified: 2009-06-19 13:03:20 EDT
Description of problem:
When I add an audit watch on a file with no arguments, I get perm=rwxa
but on ia64, changes to the mode and context aren't audited. I
get audit records on i386 and x86_64.
Version-Release number of selected component (if applicable):
I'm running the .80 LSPP kernel
Steps to Reproduce:
1. touch foo
2. auditctl -w `pwd`/foo
3. chmod 666 foo
4. chcon -l Secret foo
On ia64, I only see an audit record for adding the watch, not for
the chmod or the chcon.
Should see audit records for the chmod and chcon.
I see the expected audit records on i386 and x86_64 systems.
Created attachment 154573 [details]
proposed patch for syscall match check
The check is wrong, AUDIT_BITMASK_SIZE is 64, providing space for 2048 syscalls
in 64 * 32bit integers. The comparison only supports 256 syscalls, and silently
returns "no match" for valid higher-numbered syscalls.
This breaks class-based audit for all syscalls on ia64 since on that
architecture syscall numbers start at 1024.
It breaks some syscall audit on other architectures also, for example
__NR_fchmodat is 306 on x86.
I'd suggest adding a printk() in addition to returning 0 - you don't want to
silently ignore unknown or unsupported syscalls when auditing.
I gave Klaus's patch a quick test on ia64 and it solves the problem I was
seeing. Thanks Klaus!
The patch should be sent to linux-audit mail list for review and pushing upstream.
Patch posted to linux-audit mailing list:
This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla
You can download this test kernel from http://people.redhat.com/dzickus/el5
A fix for this issue has been included in the packages contained in the beta
(RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1. Please
verify that your issue is fixed.
After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)
If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to ASSIGNED.
This problem appears to be fixed in the RHEL5 U1 Beta. In verifying
the fix I noticed that ausearch is getting a segfault on my system.
If I don't find an existing bz I'll open a new one for that.
Linda, audit packages before 1.5.5-5 are known to segfault on acct fields and
there is already a bz for that. Please check that you are testing with snap 1
audit package 1.5.5-5. Thanks.
Steve, thanks for the info. I'm running 1.5.5-4 so I'll try later on
a snap1 system.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.