Bug 695605 - audisp-remote calls bind() incorrectly
audisp-remote calls bind() incorrectly
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: audit (Show other bugs)
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: Steve Grubb
BaseOS QE Security Team
Depends On: 695419
Blocks: 682670 RHEL62CCC 846801 846802
  Show dependency treegraph
Reported: 2011-04-12 03:18 EDT by Eduard Benes
Modified: 2012-08-08 14:29 EDT (History)
4 users (show)

See Also:
Fixed In Version: audit-2.1-3.el6
Doc Type: Bug Fix
Doc Text:
Previously if an audispd plugin was restarted, the plugin was not marked as active. Consequently, the remote logging plugin (audisp-remote) was unable to bind to a privileged port on reconnect because all privileges had been dropped. In this updated package, audispd plugins are marked as active after being restarted, and the audisp-remote plugin functions as expected.
Story Points: ---
Clone Of: 695419
Last Closed: 2011-05-19 09:55:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eduard Benes 2011-04-12 03:18:34 EDT
+++ This bug was initially created as a clone of Bug #695419 +++

Description of problem:

audisp-remote does
>		memset (&address, 0, sizeof(address));
>		address.sin_family = htons(AF_INET);
>		address.sin_port = htons(config.local_port);
>		address.sin_addr.s_addr = htonl(INADDR_ANY);
which shows in strace as

> bind(3, {sa_family=0x200 /* AF_??? */, sa_data="\0<\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0

For some reason the call still succeeds, but a correct invocation would not call htons on AF_INET.

--- Additional comment from sgrubb@redhat.com on 2011-04-11 13:26:40 EDT ---

It works because the audit daemon also has a matching mistake. Fixed in revision 505.

--- Additional comment from tmraz@redhat.com on 2011-04-12 02:33:47 EDT ---

And is the daemon really listening on IPv4 port in this case or not?
Comment 2 Steve Grubb 2011-04-13 09:31:18 EDT
Two other issues that needs to be addressed at the same time: 

1) capabilities are completely dropped. Any reconnect due to the server going down will fail if local_port is < 1024.

2) When audispd restarts a plugin, it does not mark the plugin as active. This means that even though its running, events will not be forwarded to the plugin.
Comment 4 Steve Grubb 2011-04-13 10:07:45 EDT
audit-2.1-3.el6 was built to resolve this problem.
Comment 11 errata-xmlrpc 2011-05-19 09:55:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.