Bug 695605 - audisp-remote calls bind() incorrectly
Summary: audisp-remote calls bind() incorrectly
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: audit
Version: 6.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: BaseOS QE Security Team
Depends On: 695419
Blocks: 682670 RHEL62CCC 846801 846802
TreeView+ depends on / blocked
Reported: 2011-04-12 07:18 UTC by Eduard Benes
Modified: 2012-08-08 18:29 UTC (History)
4 users (show)

Previously if an audispd plugin was restarted, the plugin was not marked as active. Consequently, the remote logging plugin (audisp-remote) was unable to bind to a privileged port on reconnect because all privileges had been dropped. In this updated package, audispd plugins are marked as active after being restarted, and the audisp-remote plugin functions as expected.
Clone Of: 695419
Last Closed: 2011-05-19 13:55:40 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0653 normal SHIPPED_LIVE audit bug fix and enhancement update 2011-05-18 17:55:30 UTC

Description Eduard Benes 2011-04-12 07:18:34 UTC
+++ This bug was initially created as a clone of Bug #695419 +++

Description of problem:

audisp-remote does
>		memset (&address, 0, sizeof(address));
>		address.sin_family = htons(AF_INET);
>		address.sin_port = htons(config.local_port);
>		address.sin_addr.s_addr = htonl(INADDR_ANY);
which shows in strace as

> bind(3, {sa_family=0x200 /* AF_??? */, sa_data="\0<\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0

For some reason the call still succeeds, but a correct invocation would not call htons on AF_INET.

--- Additional comment from sgrubb@redhat.com on 2011-04-11 13:26:40 EDT ---

It works because the audit daemon also has a matching mistake. Fixed in revision 505.

--- Additional comment from tmraz@redhat.com on 2011-04-12 02:33:47 EDT ---

And is the daemon really listening on IPv4 port in this case or not?

Comment 2 Steve Grubb 2011-04-13 13:31:18 UTC
Two other issues that needs to be addressed at the same time: 

1) capabilities are completely dropped. Any reconnect due to the server going down will fail if local_port is < 1024.

2) When audispd restarts a plugin, it does not mark the plugin as active. This means that even though its running, events will not be forwarded to the plugin.

Comment 4 Steve Grubb 2011-04-13 14:07:45 UTC
audit-2.1-3.el6 was built to resolve this problem.

Comment 11 errata-xmlrpc 2011-05-19 13:55:40 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.