Bug 695605 - audisp-remote calls bind() incorrectly
audisp-remote calls bind() incorrectly
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: audit (Show other bugs)
6.1
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: Steve Grubb
BaseOS QE Security Team
:
Depends On: 695419
Blocks: 682670 RHEL62CCC 846801 846802
  Show dependency treegraph
 
Reported: 2011-04-12 03:18 EDT by Eduard Benes
Modified: 2012-08-08 14:29 EDT (History)
4 users (show)

See Also:
Fixed In Version: audit-2.1-3.el6
Doc Type: Bug Fix
Doc Text:
Previously if an audispd plugin was restarted, the plugin was not marked as active. Consequently, the remote logging plugin (audisp-remote) was unable to bind to a privileged port on reconnect because all privileges had been dropped. In this updated package, audispd plugins are marked as active after being restarted, and the audisp-remote plugin functions as expected.
Story Points: ---
Clone Of: 695419
Environment:
Last Closed: 2011-05-19 09:55:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eduard Benes 2011-04-12 03:18:34 EDT
+++ This bug was initially created as a clone of Bug #695419 +++

Description of problem:

audisp-remote does
>		memset (&address, 0, sizeof(address));
>		address.sin_family = htons(AF_INET);
>		address.sin_port = htons(config.local_port);
>		address.sin_addr.s_addr = htonl(INADDR_ANY);
which shows in strace as

> bind(3, {sa_family=0x200 /* AF_??? */, sa_data="\0<\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0

For some reason the call still succeeds, but a correct invocation would not call htons on AF_INET.

--- Additional comment from sgrubb@redhat.com on 2011-04-11 13:26:40 EDT ---

It works because the audit daemon also has a matching mistake. Fixed in revision 505.

--- Additional comment from tmraz@redhat.com on 2011-04-12 02:33:47 EDT ---

And is the daemon really listening on IPv4 port in this case or not?
Comment 2 Steve Grubb 2011-04-13 09:31:18 EDT
Two other issues that needs to be addressed at the same time: 

1) capabilities are completely dropped. Any reconnect due to the server going down will fail if local_port is < 1024.

2) When audispd restarts a plugin, it does not mark the plugin as active. This means that even though its running, events will not be forwarded to the plugin.
Comment 4 Steve Grubb 2011-04-13 10:07:45 EDT
audit-2.1-3.el6 was built to resolve this problem.
Comment 11 errata-xmlrpc 2011-05-19 09:55:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0653.html

Note You need to log in before you can comment on or make changes to this bug.