Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 786534 - Add vm-pid to VIRT_CONTROL audit events
Add vm-pid to VIRT_CONTROL audit events
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt (Show other bugs)
6.2
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Daniel Veillard
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-01 12:37 EST by Steve Grubb
Modified: 2012-06-20 02:47 EDT (History)
6 users (show)

See Also:
Fixed In Version: libvirt-0.9.10-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 02:47:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0748 normal SHIPPED_LIVE Low: libvirt security, bug fix, and enhancement update 2012-06-19 15:31:38 EDT

  None (edit)
Description Steve Grubb 2012-02-01 12:37:01 EST
Description of problem:
In order to positively correlate all audit events to a qemu instance, we need to record the vm-pid on startup/shutdown. There is a patch upstream that does this:
http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=98b01e8f2bf3dd3c8a8881f2a94af3f9d1a95620

Testing should be easy. start up a vm, run ausearch -m VIRT_CONTROL, then run ps -ef and see if the vm-pid field is a qemu process. (Or something like that.)

Additional info:
This is needed for the auvirt program in the 6.3 audit package.
Comment 2 dyuan 2012-02-15 01:56:45 EST
Verified PASS with libvirt-0.9.10-1.el6.

The vm-pid is the same as corresponding qemu process id.

# virsh list --all
 Id    Name                           State
----------------------------------------------------
 6     rhel6                          running

#ausearch -m VIRT_CONTROL
...snip...
time->Wed Feb 15 14:36:26 2012
type=VIRT_CONTROL msg=audit(1329287786.381:110288): user pid=2557 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm op=start reason=restored vm="rhel6" uuid=4f2e1779-7040-702c-efd0-380e87f73a5d vm-pid=29067: exe=2F7573722F7362696E2F6C69627669727464202864656C6574656429 hostname=? addr=? terminal=? res=success'

#ps aux|grep rhel6
qemu     29067  0.4  4.3 1323320 323504 ?      Sl   14:36   0:04 /usr/libexec/qemu-kvm -S -M rhel6.2.0 -enable-kvm -m 1024 -smp 1,sockets=1,cores=1,threads=1 -name rhel6 -uuid 4f2e1779-7040-702c-efd0-380e87f73a5d -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/rhel6.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/rhel62.img,if=none,id=drive-virtio-disk0,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=23 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:32:3e:2f,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -vnc 127.0.0.1:1 -vga cirrus -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -incoming fd:19 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6
Comment 4 errata-xmlrpc 2012-06-20 02:47:42 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0748.html

Note You need to log in before you can comment on or make changes to this bug.