+++ This bug was initially created as a clone of Bug #554553 +++ Description of problem: audit may not handle rules with large integers correctly. For example, running auditctl -a exit,always -S all -F inode=<large_inode_number> has no effect on an i386 system. Version-Release number of selected component (if applicable): audit-1.7.17-3.el5 How reproducible: 100% Steps to Reproduce: 1. Make sure that the audit service (auditd) is started 2. Run auditctl -a exit,always -S all \ -F inode=`ls -i /proc/cpuinfo | cut -f 1 -d ' '` to add a rule with a large inode number. (/proc/cpuinfo seems to usually have a large enough inode number) 3. Run "ls /proc/cpuinfo" to trigger the previously added rule. Actual results: No messages are generated in /var/log/audit/audit.log Expected results: Messages similar to the following should be added to /var/log/audit/audit.log: type=SYSCALL msg=audit(1263252195.265:336): arch=40000003 syscall=195 success=yes exit=0 a0=bfdbdc99 a1=94dd11c a2=b79ff4 a3=bfdbcfe0 items=1 ppid=1527 pid=829 auid=4372 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ls" exe="/bin/ls" subj=user_u:system_r:unconfined_t:s0 key=(null) type=CWD msg=audit(1263252195.265:336): cwd="/root" type=PATH msg=audit(1263252195.265:336): item=0 name="/proc/cpuinfo" inode=4026531851 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_t:s0 type=SYSCALL msg=audit(1263252195.265:337): arch=40000003 syscall=196 success=yes exit=0 a0=bfdbdc99 a1=94dd11c a2=b79ff4 a3=0 items=1 ppid=1527 pid=829 auid=4372 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ls" exe="/bin/ls" subj=user_u:system_r:unconfined_t:s0 key=(null) type=CWD msg=audit(1263252195.265:337): cwd="/root" type=PATH msg=audit(1263252195.265:337): item=0 name="/proc/cpuinfo" inode=4026531851 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_t:s0 Additional info: This issue can also be verified by running auditctl -l after adding the rule in step two above. The hexadecimal value of the inode in the rule will not match the value on the command line. For example: # ls -i /proc/cpuinfo 4026531851 /proc/cpuinfo # auditctl -a exit,always -S all -F inode=4026531851 # auditctl -l LIST_RULES: exit,always inode=2147483647 (0x7fffffff) syscall=all # dc 16 o 4026531851 p F000000B The inode value 0xf000000b does not match the value in the rule list. On an x86_64 system the commands above result in: # ls -i /proc/cpuinfo 4026532000 /proc/cpuinfo # auditctl -a exit,always -S all -F inode=4026532000 # auditctl -l LIST_RULES: exit,always inode=-268435296 (0xf00000a0) syscall=all # dc 16 o 4026532000 p F00000A0 So on an x86_64 system, the hex value of the inode matches the actual inode value. The decimal value of the inode listed by the rule doesn't match, but that seems like another bug. :)
audit-1.0.16-5 has been built to resolve this issue.