Bug 491316 - Execution of a script generates multiple EXECVE records
Execution of a script generates multiple EXECVE records
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.7
All Linux
low Severity medium
: rc
: ---
Assigned To: Red Hat Kernel Manager
Red Hat Kernel QE team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-20 08:05 EDT by Matthew Booth
Modified: 2012-06-20 09:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 09:21:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Booth 2009-03-20 08:05:08 EDT
Description of problem:
If execve is being audited and a script is executed, the kernel generates 2 EXECVE records: 1 for the execution of the shell and 1 for the execution of the script. 2 examples:

type=SYSCALL msg=audit(1237550059.618:475): arch=40000003 syscall=11 success=yes
 exit=0 a0=8713338 a1=87137f0 a2=8713368 a3=87137f0 items=3 pid=3654 auid=429496
7295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="lesspipe.sh" 
exe="/bin/bash"
type=EXECVE msg=audit(1237550059.618:475): argc=4 a0="/bin/sh" a1="-" a2="/usr/b
in/lesspipe.sh" a3="/var/log/audit/audit.log" 
type=EXECVE msg=audit(1237550059.618:475): argc=2 a0="/usr/bin/lesspipe.sh" a1="
/var/log/audit/audit.log" 
type=CWD msg=audit(1237550059.618:475):  cwd="/home/mbooth/src/austream/build"
type=PATH msg=audit(1237550059.618:475): name="/usr/bin/lesspipe.sh" flags=101  
inode=146290 dev=03:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1237550059.618:475):  flags=101  inode=158130 dev=03:01 mode
=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1237550059.618:475):  flags=101  inode=112054 dev=03:01 mode
=0100755 ouid=0 ogid=0 rdev=00:00

type=SYSCALL msg=audit(1237547877.264:211): arch=40000003 syscall=11 success=yes
 exit=0 a0=8421d90 a1=8421230 a2=841b818 a3=8421230 items=3 pid=3624 auid=429496
7295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="foo.sh" exe="
/bin/bash"
type=EXECVE msg=audit(1237547877.264:211): argc=2 a0="/bin/sh" a1="./foo.sh" 
type=EXECVE msg=audit(1237547877.264:211): argc=1 a0="./foo.sh" 
type=CWD msg=audit(1237547877.264:211):  cwd="/root"
type=PATH msg=audit(1237547877.264:211): name="./foo.sh" flags=101  inode=94680 
dev=03:01 mode=0100744 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1237547877.264:211):  flags=101  inode=158130 dev=03:01 mode
=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1237547877.264:211):  flags=101  inode=112054 dev=03:01 mode
=0100755 ouid=0 ogid=0 rdev=00:00

I don't recall having seen this in RHEL 4.6, so I believe this could be a regression.

In case it comes up, I have confirmed that this is not related to the audit daemon by trying it with both the regular and a replacement audit daemon.

Version-Release number of selected component (if applicable):
2.6.9-78.0.13.EL

How reproducible:
Always

Steps to Reproduce:
1. echo "
#!/bin/sh

echo This is a test
" > foo.sh
2. chmod u+x foo.sh
3. service auditd restart
4. auditctl -D
5. auditctl -a entry,always -S execve
6. ./foo.sh
  
Actual results:
As above. Audit event contains 2 EXECVE records.

Expected results:
A single EXECVE record is generated. In this case, I would expect it to be:
type=EXECVE msg=audit(1237547877.264:211): argc=1 a0="./foo.sh" 

i.e. the one which doesn't contain the shell.

Additional info:
Comment 1 Jiri Pallich 2012-06-20 09:21:31 EDT
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.

Note You need to log in before you can comment on or make changes to this bug.