Bug 784351 - IMA audit events don't show success correctly
Summary: IMA audit events don't show success correctly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel
Version: 6.2
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Eric Paris
QA Contact: John Brier
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-24 16:36 UTC by Steve Grubb
Modified: 2013-08-14 23:09 UTC (History)
2 users (show)

Fixed In Version: kernel-2.6.32-244.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 08:19:50 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0862 0 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Linux 6 kernel security, bug fix and enhancement update 2012-06-20 12:55:00 UTC

Description Steve Grubb 2012-01-24 16:36:18 UTC
Description of problem:
The IMA audit events record success or fail backwards. Success should be res=1, and failure is res=0. The effect of this being backwards is that ausearch cannot properly locate events when success or fail us given for search criteria.

Steps to Reproduce:
1. ausearch -m INTEGRITY_PCR --success no
2. If a record is found, it should have some error in it.

Actual results:
type=INTEGRITY_PCR msg=audit(1327409021.813:21): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op="add_template_measure" cause="hash_added" comm="init" name="01parse-kernel.sh" dev=rootfs ino=5413 res=0

Comment 2 RHEL Program Management 2012-02-14 22:29:41 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.

Comment 7 Aristeu Rozanski 2012-02-29 20:24:17 UTC
Patch(es) available on kernel-2.6.32-244.el6

Comment 11 John Brier 2012-03-15 21:07:27 UTC
VERIFIED

= reproduced =
[root@amd-annapurna-01 ~]# uname -r 
2.6.32-220.el6.x86_64
[root@amd-annapurna-01 ~]# ausearch --start recent -m INTEGRITY_PCR --success yes | grep --color res=0 | head -n 1
type=INTEGRITY_PCR msg=audit(1331841221.643:1593): pid=1974 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 op="add_template_measure" cause="hash_added" comm="sshd" name="protocols" dev=dm-0 ino=2883623 res=0


= verified =
[root@amd-annapurna-01 ~]# uname -r
2.6.32-252.el6.x86_64
[root@amd-annapurna-01 ~]# ausearch --start recent -m INTEGRITY_PCR --success yes | grep res=0
[root@amd-annapurna-01 ~]#

Comment 13 errata-xmlrpc 2012-06-20 08:19:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0862.html


Note You need to log in before you can comment on or make changes to this bug.