670938 – searching on auid = -1 results in all events

Bug 670938 - searching on auid = -1 results in all events

Summary: searching on auid = -1 results in all events

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	audit
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Grubb
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	706156
TreeView+	depends on / blocked

Reported:	2011-01-19 17:31 UTC by Steve Grubb
Modified:	2018-12-07 13:55 UTC (History)
CC List:	0 users
Fixed In Version:	audit-2.0.6-1.el6
Doc Type:	Bug Fix
Doc Text:	System processes, that is processes with an audit id (auid) of -1 are logged by the audit subsystem. However, if the ausearch utility was used to locate events where the auid was -1, it would display all events. In this update, ausearch only returns events with an auid of -1.
Clone Of:
Clones:	706156 (view as bug list)
Environment:
Last Closed:	2011-05-19 13:55:37 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0653	0	normal	SHIPPED_LIVE	audit bug fix and enhancement update	2011-05-18 17:55:30 UTC

Description Steve Grubb 2011-01-19 17:31:40 UTC

Description of problem:
When an audit rules such as this is loaded on a 32 bit system:

-a exit,always -S creat -S open -S openat -S truncate -S ftruncate -F success=0 -F auid!=-1

System processes (ones with auid == -1) still get logged. This is because the auid is converted using a signed conversion and then compared in the kernel unsigned. Since 2147483647 does not equal 4294967295, the rule never triggers. Listing the rule back out with "auditctl -l" shows that auid=2147483647 (0x7fffffff) is loaded rather than 4294967295.

Comment 3 Steve Grubb 2011-02-02 13:32:09 UTC

In researching this problem, I found that it was already fixed by https://fedorahosted.org/audit/changeset/268

However during troubleshooting, I needed to get records for auid 4294967295 with ausearch. This resulted in all records rather than the one I wanted. My query was something like this:

ausearch -ul 4294967295 -if ./audit.log

Where audit.log had the following event

type=USER_AUTH msg=audit(1258740386.638:288): user pid=28360 uid=500 auid=500 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=failed'

Comment 4 Steve Grubb 2011-02-02 13:33:49 UTC

Fixed by upstream commit:
https://fedorahosted.org/audit/changeset/439

Comment 5 Steve Grubb 2011-02-04 18:55:11 UTC

audit-2.0.6-1.el6 was built to fix this problem.

Comment 11 errata-xmlrpc 2011-05-19 13:55:37 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0653.html

Note You need to log in before you can comment on or make changes to this bug.