Bug 442556 - audit rules with >= get corrupted
audit rules with >= get corrupted
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit (Show other bugs)
All Linux
high Severity medium
: rc
: ---
Assigned To: Steve Grubb
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2008-04-15 11:00 EDT by Steve Grubb
Modified: 2008-05-21 10:32 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHEA-2008-0358
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 10:32:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch fixing problems described herein (1.69 KB, patch)
2008-04-17 09:47 EDT, Steve Grubb
no flags Details | Diff

  None (edit)
Description Steve Grubb 2008-04-15 11:00:18 EDT
Description of problem:
Audit rules with >= get converted to != by libaudit. For example, the rule:
auditctl -a always,exit -S open -F 'auid>=500'

when you run auditctl -l, the was sent into the kernel as auid!=500 which is not
what is intended.

Also, there is a memory leak on EOE records. The 5.3 kernel will start sending
EOE records so this should be fixed in case they upgrade the kernel and not the
audit daemon.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Steve Grubb 2008-04-17 09:47:29 EDT
Created attachment 302748 [details]
patch fixing problems described herein

This is the proposed patch.
Comment 4 Steve Grubb 2008-04-20 17:22:50 EDT
audit-1.6.5-9.el5 was built to address this problem.
Comment 6 Eduard Benes 2008-04-22 09:58:59 EDT
Steve, I'm not able to reproduce the '!=' bug using older audit packages. Do 
you have any idea what could be causing this? Here is a log using old audit-
1.6.5-6.el5 packages, it should FAIL but as you can see it passes on all archs. 
Tried 1.6.5-{6,7,8,9} and all passed.

Sample log:

Linux xxxxxxx.redhat.com 2.6.18-83.el5 #1 SMP Thu Feb 21 12:14:23 EST 2008 i686 
i686 i386 GNU/Linux
Tue Apr 22 15:47:28 CEST 2008

===== Running Test /CoreOS/audit/bugzilla/bug442556 =====
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]

+ auditctl -D
No rules
+ auditctl -a always,exit -S open -F 'auid>=500'
+ auditctl -l
LIST_RULES: exit,always auid>=500 (0x1f4) syscall=open
+ set +x

===== Test /CoreOS/audit/bugzilla/bug442556 Finished =====

Test result               [ PASS ]
Comment 7 Steve Grubb 2008-04-22 10:43:19 EDT
Try this:

auditctl -a always,exit -S open -F 'auid>=500' -F auid!=4294967295 -k open
Comment 10 errata-xmlrpc 2008-05-21 10:32:59 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.