Bug 786534 - Add vm-pid to VIRT_CONTROL audit events
Summary: Add vm-pid to VIRT_CONTROL audit events
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.2
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Daniel Veillard
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-01 17:37 UTC by Steve Grubb
Modified: 2012-06-20 06:47 UTC (History)
6 users (show)

Fixed In Version: libvirt-0.9.10-1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 06:47:42 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0748 0 normal SHIPPED_LIVE Low: libvirt security, bug fix, and enhancement update 2012-06-19 19:31:38 UTC

Description Steve Grubb 2012-02-01 17:37:01 UTC 
Description of problem:
In order to positively correlate all audit events to a qemu instance, we need to record the vm-pid on startup/shutdown. There is a patch upstream that does this:
http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=98b01e8f2bf3dd3c8a8881f2a94af3f9d1a95620

Testing should be easy. start up a vm, run ausearch -m VIRT_CONTROL, then run ps -ef and see if the vm-pid field is a qemu process. (Or something like that.)

Additional info:
This is needed for the auvirt program in the 6.3 audit package.
Comment 2 dyuan 2012-02-15 06:56:45 UTC 
Verified PASS with libvirt-0.9.10-1.el6.

The vm-pid is the same as corresponding qemu process id.

# virsh list --all
 Id    Name                           State
----------------------------------------------------
 6     rhel6                          running

#ausearch -m VIRT_CONTROL
...snip...
time->Wed Feb 15 14:36:26 2012
type=VIRT_CONTROL msg=audit(1329287786.381:110288): user pid=2557 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm op=start reason=restored vm="rhel6" uuid=4f2e1779-7040-702c-efd0-380e87f73a5d vm-pid=29067: exe=2F7573722F7362696E2F6C69627669727464202864656C6574656429 hostname=? addr=? terminal=? res=success'

#ps aux|grep rhel6
qemu     29067  0.4  4.3 1323320 323504 ?      Sl   14:36   0:04 /usr/libexec/qemu-kvm -S -M rhel6.2.0 -enable-kvm -m 1024 -smp 1,sockets=1,cores=1,threads=1 -name rhel6 -uuid 4f2e1779-7040-702c-efd0-380e87f73a5d -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/rhel6.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/rhel62.img,if=none,id=drive-virtio-disk0,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=23 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:32:3e:2f,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -vnc 127.0.0.1:1 -vga cirrus -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -incoming fd:19 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6
Comment 4 errata-xmlrpc 2012-06-20 06:47:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0748.html
Note You need to log in before you can comment on or make changes to this bug.