Red Hat Bugzilla – Bug 461653
IPA: Include plaintext string data with audit log in new plugin
Last modified: 2016-06-03 16:49:20 EDT
1. Kernel and user space audit pieces currently treat some characters (spaces, tabs, quotes, maybe more) as control characters and upon seeing them in astring, converts that string into Hex. This makes it difficult for solutions (such as IPA Audit) that want to leverage the raw audit to search on the audit or parse it. 2. Proposed solution. Build plug-in to audit dispatcher that takes audit record as is, puts some clear marker that shows it is adding interpretive data, and appends interpreted data to the audit record. It will then output the audit record to a file of a different name. There will be a flag to say whether this plug-in should run or not. Default state should be not disabled even when loaded. 3. Appended interpreted data will include: - The human readable string in the case where a string is turned into Hex - Additional valuable interpreted data like turning uid into the username (i.e kwirth) 4. Platform support. Goal is RHEL 5.4 and backport to RHEL 4.x.
I'd like to add to (3) above - that on systems configured for MLS policy, the translation of the MLS part of the context to its human-readable form as defined by the mcstrans.conf definitions on that machine. Also, I second - the UID/GID translation would be very helpful.
This bug is pretty old, and maybe the proposed fix Karl mentioned isn't the optimal way anymore. When I read it, I was really interested in getting the interpreted information into the events vice the numeric (UID/GID/AUID/etc). This would facilitate meaningful events on an aggregated machine. I've learned how to work around this problem in the intervening years, but would still be interested in having the ability. UID/GID/AUID are all well-known. The part that might be unclear is the mcstrans part I described. An MLS policy is similar to MCS, except instead of one sensitivity level and multiple compartments, there are multiple SLs and multiple compartments. The mcstransd interprets human-readable discrete labels into machine-readable and vice-versa. Example setrans.conf entries: Domain=Test s0=SystemLow s15:c0.c1023=SystemHigh s0-s15:c0.c1023=SystemLow-SystemHigh Base=Sensitivity Levels s1=Unclassified s1=U s2:c200.c511=Restricted s2:c200.c511=R s3:c200.c511=Confidential s3:c200.c511=C s4:c200.c511=Secret s4:c200.c511=S s5:c200.c511=Top Secret s5:c200.c511=TS The audited events have only the bitwise representations; e.g.: node=jcdx type=SYSCALL msg=audit(10/13/2015 11:40:58.454:62780) : arch=i386 syscall=socketcall(socket) success=no exit=-13(Permission denied) a0=1 a1=fff54c94 a2=5f79ff4 a3=fff54e5c items=0 ppid=9645 pid=9646 auid=root uid=json2jcdx gid=jcdx euid=json2jcdx suid=json2jcdx fsuid=json2jcdx egid=jcdx sgid=jcdx fsgid=jcdx tty=(none) ses=332 comm=json2jcdx exe=/opt/jcdx/libexec/json2jcdx subj=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 key=(null) node=jcdx type=AVC msg=audit(10/13/2015 11:40:58.454:62780) : avc: denied { create } for pid=9646 comm=json2jcdx scontext=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 tcontext=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 tclass=netlink_route_socket
This is not going into RHEL6 at this point. It is being worked on RHEL7 under rhbz 1127343. *** This bug has been marked as a duplicate of bug 1127343 ***