Description of problem: audit may not handle rules with large integers correctly. For example, running auditctl -a exit,always -S all -F inode=<large_inode_number> has no effect on an i386 system. Version-Release number of selected component (if applicable): audit-1.7.17-3.el5 How reproducible: 100% Steps to Reproduce: 1. Make sure that the audit service (auditd) is started 2. Run auditctl -a exit,always -S all \ -F inode=`ls -i /proc/cpuinfo | cut -f 1 -d ' '` to add a rule with a large inode number. (/proc/cpuinfo seems to usually have a large enough inode number) 3. Run "ls /proc/cpuinfo" to trigger the previously added rule. Actual results: No messages are generated in /var/log/audit/audit.log Expected results: Messages similar to the following should be added to /var/log/audit/audit.log: type=SYSCALL msg=audit(1263252195.265:336): arch=40000003 syscall=195 success=yes exit=0 a0=bfdbdc99 a1=94dd11c a2=b79ff4 a3=bfdbcfe0 items=1 ppid=1527 pid=829 auid=4372 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ls" exe="/bin/ls" subj=user_u:system_r:unconfined_t:s0 key=(null) type=CWD msg=audit(1263252195.265:336): cwd="/root" type=PATH msg=audit(1263252195.265:336): item=0 name="/proc/cpuinfo" inode=4026531851 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_t:s0 type=SYSCALL msg=audit(1263252195.265:337): arch=40000003 syscall=196 success=yes exit=0 a0=bfdbdc99 a1=94dd11c a2=b79ff4 a3=0 items=1 ppid=1527 pid=829 auid=4372 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ls" exe="/bin/ls" subj=user_u:system_r:unconfined_t:s0 key=(null) type=CWD msg=audit(1263252195.265:337): cwd="/root" type=PATH msg=audit(1263252195.265:337): item=0 name="/proc/cpuinfo" inode=4026531851 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_t:s0 Additional info: This issue can also be verified by running auditctl -l after adding the rule in step two above. The hexadecimal value of the inode in the rule will not match the value on the command line. For example: # ls -i /proc/cpuinfo 4026531851 /proc/cpuinfo # auditctl -a exit,always -S all -F inode=4026531851 # auditctl -l LIST_RULES: exit,always inode=2147483647 (0x7fffffff) syscall=all # dc 16 o 4026531851 p F000000B The inode value 0xf000000b does not match the value in the rule list. On an x86_64 system the commands above result in: # ls -i /proc/cpuinfo 4026532000 /proc/cpuinfo # auditctl -a exit,always -S all -F inode=4026532000 # auditctl -l LIST_RULES: exit,always inode=-268435296 (0xf00000a0) syscall=all # dc 16 o 4026532000 p F00000A0 So on an x86_64 system, the hex value of the inode matches the actual inode value. The decimal value of the inode listed by the rule doesn't match, but that seems like another bug. :)
Created attachment 383119 [details] Proposed patch
A similar patch was applied upstream.
audit-1.7.18-1 was built to resolve this problem.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: 32-bit systems did not behave correctly when an audit rule with a large inode value was added, because of a signed number conversion. With this update, auditctl treats the inode value as an unsigned number.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0083.html