Red Hat Bugzilla – Bug 905179
audit rules with -F "auid!=4294967295" return EINVAL
Last modified: 2013-09-27 08:42:49 EDT
Description of problem:
The stig.rules file has a line like this:
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
When its run, it returns EINVAL:
# auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F "auid>=500" -F "auid!=4294967295" -k access
Error sending add rule data request (Invalid argument)
Version-Release number of selected component (if applicable):
I bumped into the same problem on F17 with kernel-3.7.3-101.fc17.x86_64. Rules fail to load and then auditd stops.
Ping? Any movement on this? This is still broke on 3.8.1 kernel even though we talked about fixing this on 3.7.6. Any ETA? Thanks.
If you look in kernel/audit_filter.c::audit_rule_to_entry() you will see he added:
f->uid = make_kuid(current_user_ns(), f->val);
however UID_INVALID is actually perfectly valid... We shouldn't do the check at all and should just leave f->uid == UID_INVALID.
The rest of the filter code should then be tested to make sure it can still match properly....
Created attachment 705758 [details]
audit: omit check for uid and gid validity in audit rules and data
Remove the check for invalid uid and gid when parsing rules and data for logging.
Revert part of ca57ec0f00c3f139c41bf6b0a5b9bcc95bbb2ad7 (2012-09-11) to fix this.
Tested on f18 kernel 3.9-rc1 6dbe51c251a327e012439c4772097a13df43c5b8 with:
auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F "auid>=500" -F "auid!=4294967295" -k access
So you proved that rule loads.
Did it work?
does a auid==-1 work?
Yes. I added a rule:
auditctl -a exit,always -F path=/etc/cups/cupsd.conf -F "auid=4294967295" -k etc-cups-cupsd.conf
systemctl start cups.service
which produced the expected:
type=SYSCALL msg=audit(1362767586.796:671): arch=c000003e syscall=4 success=yes exit=0 a0=7fff7f8b5300 a1=7f2cfd213050 a2=7f2cfd213050 a3=a items=1 ppid=1 pid=6820 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key="etc-cups-cupsd.conf"
while a simple
doesn't trigger that filter.
Has this been posted to stable? Reminder...anyone trying to use the audit system cannot. Let's try to get this in 3.8.4 if we can. Thanks.
As far as I know, Richard or Eric haven't posted this upstream anywhere. It isn't going to make 3.8.4 because patches for stable kernels need to be in Linus' tree first.
I had posted a patch attachment here, hoping to get a quick ack from those Cc-ed to this bz and then forgot about it.
I've just posted it (yesterday's post didn't go through):
I'll post to stable when I get a nod.
April 9th, Eric Biederman posted a counter-patch:
April 16th I tested it works as expected.
Eric's patch went into 3.10, so this has been fixed for quite some time.