Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 554553

Summary: audit does not work for filtering a large inode number on i386
Product: Red Hat Enterprise Linux 5 Reporter: Bryan Mason <bmason>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.4CC: mfuruta, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
32-bit systems did not behave correctly when an audit rule with a large inode value was added, because of a signed number conversion. With this update, auditctl treats the inode value as an unsigned number.
 Story Points: ---
Clone Of:
: 554555 (view as bug list) Environment:
Last Closed: 2011-01-13 23:42:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 554555    
Attachments:
Description Flags
Proposed patch none

Description Bryan Mason 2010-01-11 23:28:11 UTC 
Description of problem:

  audit may not handle rules with large integers correctly.  For example,
  running
    
    auditctl -a exit,always -S all -F inode=<large_inode_number>

  has no effect on an i386 system.

Version-Release number of selected component (if applicable):

  audit-1.7.17-3.el5

How reproducible:

  100%

Steps to Reproduce:

  1. Make sure that the audit service (auditd) is started

  2. Run

        auditctl -a exit,always -S all \
	-F inode=`ls -i /proc/cpuinfo | cut -f 1 -d ' '`

     to add a rule with a large inode number.  (/proc/cpuinfo seems to
     usually have a large enough inode number) 

  3. Run "ls /proc/cpuinfo" to trigger the previously added rule.
  
Actual results:

  No messages are generated in /var/log/audit/audit.log

Expected results:

  Messages similar to the following should be added to
  /var/log/audit/audit.log:

  type=SYSCALL msg=audit(1263252195.265:336): arch=40000003
  syscall=195 success=yes exit=0 a0=bfdbdc99 a1=94dd11c a2=b79ff4
  a3=bfdbcfe0 items=1 ppid=1527 pid=829 auid=4372 uid=0 gid=0 euid=0
  suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ls"
  exe="/bin/ls" subj=user_u:system_r:unconfined_t:s0 key=(null)

  type=CWD msg=audit(1263252195.265:336):  cwd="/root"

  type=PATH msg=audit(1263252195.265:336): item=0 name="/proc/cpuinfo"
  inode=4026531851 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
  obj=system_u:object_r:proc_t:s0

  type=SYSCALL msg=audit(1263252195.265:337): arch=40000003
  syscall=196 success=yes exit=0 a0=bfdbdc99 a1=94dd11c a2=b79ff4 a3=0
  items=1 ppid=1527 pid=829 auid=4372 uid=0 gid=0 euid=0 suid=0
  fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ls" exe="/bin/ls"
  subj=user_u:system_r:unconfined_t:s0 key=(null)

  type=CWD msg=audit(1263252195.265:337):  cwd="/root"

  type=PATH msg=audit(1263252195.265:337): item=0 name="/proc/cpuinfo"
  inode=4026531851 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
  obj=system_u:object_r:proc_t:s0

Additional info:

  This issue can also be verified by running 

    auditctl -l

  after adding the rule in step two above.  The hexadecimal value of
  the inode in the rule will not match the value on the command line.

  For example:

    # ls -i /proc/cpuinfo
    4026531851 /proc/cpuinfo

    # auditctl -a exit,always -S all -F inode=4026531851
    # auditctl -l
    LIST_RULES: exit,always inode=2147483647 (0x7fffffff) syscall=all

    # dc
    16
    o
    4026531851
    p
    F000000B

  The inode value 0xf000000b does not match the value in the rule
  list.  On an x86_64 system the commands above result in:

    # ls -i /proc/cpuinfo
    4026532000 /proc/cpuinfo

    # auditctl -a exit,always -S all -F inode=4026532000
    # auditctl -l
    LIST_RULES: exit,always inode=-268435296 (0xf00000a0) syscall=all

    # dc
    16
    o
    4026532000
    p
    F00000A0

  So on an x86_64 system, the hex value of the inode matches the actual
  inode value.  The decimal value of the inode listed by the rule doesn't
  match, but that seems like another bug. :)
Comment 1 Bryan Mason 2010-01-11 23:29:39 UTC 
Created attachment 383119 [details]
Proposed patch
Comment 2 Steve Grubb 2010-01-19 18:44:21 UTC 
A similar patch was applied upstream.
Comment 4 Steve Grubb 2010-09-19 21:29:35 UTC 
audit-1.7.18-1 was built to resolve this problem.
Comment 9 Eva Kopalova 2010-12-20 11:43:38 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
32-bit systems did not behave correctly when an audit rule with a large inode value was added, because of a signed number conversion. With this update, auditctl treats the inode value as an unsigned number.
Comment 11 errata-xmlrpc 2011-01-13 23:42:49 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0083.html