RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 461653 - IPA: Include plaintext string data with audit log in new plugin
Summary: IPA: Include plaintext string data with audit log in new plugin
Keywords:
Status: CLOSED DUPLICATE of bug 1127343
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: audit
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 840699
TreeView+ depends on / blocked
 
Reported: 2008-09-09 18:33 UTC by Karl Wirth
Modified: 2016-06-03 20:49 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-03 20:49:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Karl Wirth 2008-09-09 18:33:04 UTC 
1. Kernel and user space audit pieces currently treat some characters (spaces, tabs, quotes, maybe more) as control characters and upon seeing them in astring, converts that string into Hex. This makes it difficult for solutions (such as IPA Audit) that want to leverage the raw audit to search on the audit or parse it.

2. Proposed solution.  Build plug-in to audit dispatcher that takes audit record as is, puts some clear marker that shows it is adding interpretive data, and appends interpreted data to the audit record.  It will then output the audit record to a file of a different name.  There will be a flag to say whether this plug-in should run or not. Default state should be not disabled even when loaded.  

3. Appended interpreted data will include:
- The human readable string in the case where a string is turned into Hex
- Additional valuable interpreted data like turning uid into the
username (i.e kwirth)

4. Platform support.  Goal is RHEL 5.4 and backport to RHEL 4.x.
Comment 4 LC Bruzenak 2009-09-17 14:48:08 UTC 
I'd like to add to (3) above - that on systems configured for MLS policy, the translation of the MLS part of the context to its human-readable form as defined by the mcstrans.conf definitions on that machine. Also, I second - the UID/GID translation would be very helpful.
Comment 13 LC Bruzenak 2015-10-13 17:40:12 UTC 
This bug is pretty old, and maybe the proposed fix Karl mentioned isn't the optimal way anymore. When I read it, I was really interested in getting the interpreted information into the events vice the numeric (UID/GID/AUID/etc). This would facilitate meaningful events on an aggregated machine. I've learned how to work around this problem in the intervening years, but would still be interested in having the ability.

UID/GID/AUID are all well-known. The part that might be unclear is the mcstrans part I described. An MLS policy is similar to MCS, except instead of one sensitivity level and multiple compartments, there are multiple SLs and multiple compartments.

The mcstransd interprets human-readable discrete labels into machine-readable and vice-versa.

Example setrans.conf entries:
Domain=Test

s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh

Base=Sensitivity Levels
s1=Unclassified
s1=U
s2:c200.c511=Restricted
s2:c200.c511=R
s3:c200.c511=Confidential
s3:c200.c511=C
s4:c200.c511=Secret
s4:c200.c511=S
s5:c200.c511=Top Secret
s5:c200.c511=TS

The audited events have only the bitwise representations; e.g.:
node=jcdx type=SYSCALL msg=audit(10/13/2015 11:40:58.454:62780) : arch=i386 syscall=socketcall(socket) success=no exit=-13(Permission denied) a0=1 a1=fff54c94 a2=5f79ff4 a3=fff54e5c items=0 ppid=9645 pid=9646 auid=root uid=json2jcdx gid=jcdx euid=json2jcdx suid=json2jcdx fsuid=json2jcdx egid=jcdx sgid=jcdx fsgid=jcdx tty=(none) ses=332 comm=json2jcdx exe=/opt/jcdx/libexec/json2jcdx subj=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 key=(null) 
node=jcdx type=AVC msg=audit(10/13/2015 11:40:58.454:62780) : avc:  denied  { create } for  pid=9646 comm=json2jcdx scontext=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 tcontext=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 tclass=netlink_route_socket
Comment 15 Steve Grubb 2016-06-03 20:49:20 UTC 
This is not going into RHEL6 at this point. It is being worked on RHEL7 under rhbz 1127343.

*** This bug has been marked as a duplicate of bug 1127343 ***
Note You need to log in before you can comment on or make changes to this bug.