Bug 695605 - audisp-remote calls bind() incorrectly
Summary: audisp-remote calls bind() incorrectly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: audit
Version: 6.1
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 695419
Blocks: RHEL62CCC 682670 846801 846802
TreeView+ depends on / blocked
 
Reported: 2011-04-12 07:18 UTC by Eduard Benes
Modified: 2012-08-08 18:29 UTC (History)
4 users (show)

Fixed In Version: audit-2.1-3.el6
Doc Type: Bug Fix
Doc Text:
Previously if an audispd plugin was restarted, the plugin was not marked as active. Consequently, the remote logging plugin (audisp-remote) was unable to bind to a privileged port on reconnect because all privileges had been dropped. In this updated package, audispd plugins are marked as active after being restarted, and the audisp-remote plugin functions as expected.
Clone Of: 695419
Environment:
Last Closed: 2011-05-19 13:55:40 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0653 0 normal SHIPPED_LIVE audit bug fix and enhancement update 2011-05-18 17:55:30 UTC

Description Eduard Benes 2011-04-12 07:18:34 UTC 
+++ This bug was initially created as a clone of Bug #695419 +++

Description of problem:

audisp-remote does
>		memset (&address, 0, sizeof(address));
>		address.sin_family = htons(AF_INET);
>		address.sin_port = htons(config.local_port);
>		address.sin_addr.s_addr = htonl(INADDR_ANY);
which shows in strace as

> bind(3, {sa_family=0x200 /* AF_??? */, sa_data="\0<\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0

For some reason the call still succeeds, but a correct invocation would not call htons on AF_INET.

--- Additional comment from sgrubb on 2011-04-11 13:26:40 EDT ---

It works because the audit daemon also has a matching mistake. Fixed in revision 505.

--- Additional comment from tmraz on 2011-04-12 02:33:47 EDT ---

And is the daemon really listening on IPv4 port in this case or not?
Comment 2 Steve Grubb 2011-04-13 13:31:18 UTC 
Two other issues that needs to be addressed at the same time: 

1) capabilities are completely dropped. Any reconnect due to the server going down will fail if local_port is < 1024.

2) When audispd restarts a plugin, it does not mark the plugin as active. This means that even though its running, events will not be forwarded to the plugin.
Comment 4 Steve Grubb 2011-04-13 14:07:45 UTC 
audit-2.1-3.el6 was built to resolve this problem.
Comment 11 errata-xmlrpc 2011-05-19 13:55:40 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0653.html
Note You need to log in before you can comment on or make changes to this bug.