Bug 461653 - IPA: Include plaintext string data with audit log in new plugin
IPA: Include plaintext string data with audit log in new plugin
Status: CLOSED DUPLICATE of bug 1127343
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: audit (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Steve Grubb
BaseOS QE Security Team
: Unconfirmed
Depends On:
Blocks: 840699
  Show dependency treegraph
Reported: 2008-09-09 14:33 EDT by Karl Wirth
Modified: 2016-06-03 16:49 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-06-03 16:49:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karl Wirth 2008-09-09 14:33:04 EDT
1. Kernel and user space audit pieces currently treat some characters (spaces, tabs, quotes, maybe more) as control characters and upon seeing them in astring, converts that string into Hex. This makes it difficult for solutions (such as IPA Audit) that want to leverage the raw audit to search on the audit or parse it.

2. Proposed solution.  Build plug-in to audit dispatcher that takes audit record as is, puts some clear marker that shows it is adding interpretive data, and appends interpreted data to the audit record.  It will then output the audit record to a file of a different name.  There will be a flag to say whether this plug-in should run or not. Default state should be not disabled even when loaded.  

3. Appended interpreted data will include:
- The human readable string in the case where a string is turned into Hex
- Additional valuable interpreted data like turning uid into the
username (i.e kwirth)

4. Platform support.  Goal is RHEL 5.4 and backport to RHEL 4.x.
Comment 4 LC Bruzenak 2009-09-17 10:48:08 EDT
I'd like to add to (3) above - that on systems configured for MLS policy, the translation of the MLS part of the context to its human-readable form as defined by the mcstrans.conf definitions on that machine. Also, I second - the UID/GID translation would be very helpful.
Comment 13 LC Bruzenak 2015-10-13 13:40:12 EDT
This bug is pretty old, and maybe the proposed fix Karl mentioned isn't the optimal way anymore. When I read it, I was really interested in getting the interpreted information into the events vice the numeric (UID/GID/AUID/etc). This would facilitate meaningful events on an aggregated machine. I've learned how to work around this problem in the intervening years, but would still be interested in having the ability.

UID/GID/AUID are all well-known. The part that might be unclear is the mcstrans part I described. An MLS policy is similar to MCS, except instead of one sensitivity level and multiple compartments, there are multiple SLs and multiple compartments.

The mcstransd interprets human-readable discrete labels into machine-readable and vice-versa.

Example setrans.conf entries:


Base=Sensitivity Levels
s5:c200.c511=Top Secret

The audited events have only the bitwise representations; e.g.:
node=jcdx type=SYSCALL msg=audit(10/13/2015 11:40:58.454:62780) : arch=i386 syscall=socketcall(socket) success=no exit=-13(Permission denied) a0=1 a1=fff54c94 a2=5f79ff4 a3=fff54e5c items=0 ppid=9645 pid=9646 auid=root uid=json2jcdx gid=jcdx euid=json2jcdx suid=json2jcdx fsuid=json2jcdx egid=jcdx sgid=jcdx fsgid=jcdx tty=(none) ses=332 comm=json2jcdx exe=/opt/jcdx/libexec/json2jcdx subj=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 key=(null) 
node=jcdx type=AVC msg=audit(10/13/2015 11:40:58.454:62780) : avc:  denied  { create } for  pid=9646 comm=json2jcdx scontext=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 tcontext=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 tclass=netlink_route_socket
Comment 15 Steve Grubb 2016-06-03 16:49:20 EDT
This is not going into RHEL6 at this point. It is being worked on RHEL7 under rhbz 1127343.

*** This bug has been marked as a duplicate of bug 1127343 ***

Note You need to log in before you can comment on or make changes to this bug.