Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 231914

Summary: Laus doesn't audit detach event
Product: Red Hat Enterprise Linux 3 Reporter: Matthew Booth <mbooth>
Component: lausAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.8CC: jfautley, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: RHBA-2007-0459 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-11 18:40:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 231912    
Bug Blocks:    
Description Flags
Patch against laus-0.1-70RHEL3 to add audit control events
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options)
Utility to detach a program from laus
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options and old kernel fix) none

Description Matthew Booth 2007-03-12 23:05:11 UTC
Description of problem:
An appropriately privilege user (CAP_SYS_ADMIN) can perform various control
actions on the audit system with an ioctl() on /dev/audit. One of these is the
ability to detach a process from the audit system. These control events are not
themselves audited. For the most part it is possible to work round this by
auditing ioctl calls on /dev/audit. However, for detach specifically and also
resume this does not work. This opens a severe hole in the ability of the audit
system to audit operations on itself.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a program which detaches itself from laus by calling laus_detach().
2. Invoke the program.
Actual results:
There is no audit configuration which will audit this.

Expected results:
Should probably be audited by default.

Additional info:

Comment 1 Matthew Booth 2007-03-12 23:14:51 UTC
Created attachment 149880 [details]
Patch against laus-0.1-70RHEL3 to add audit control events

This patch adds the userspace handling for control events generated by the
associated patch in BZ 231912. It also updates the appropriate man pages.

The kernel patch adds a new event type for control events (ioctl()s on
/dev/audit). The event consists of:

* ioctl request number
* ioctl return code

It adds display code to pretty print the event in aucat and augrep. It also
allows filtering on the event. To enable these events, the following line must
be added to filter.conf:

event audit-control = always;

As this behaviour is expected and should be the norm, the patch adds this to
default configuration file. Note that existing configurations which do not
contain the above line will not see these events.

Comment 2 Matthew Booth 2007-03-12 23:39:35 UTC
Created attachment 149884 [details]
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options)

This patch obsoletes the previous patch. It adds the -e CONTROL option to
augrep to allow filtering on control events. It also updates the augrep man

Comment 3 Matthew Booth 2007-03-12 23:46:28 UTC
Created attachment 149886 [details]
Utility to detach a program from laus

This utility can be used to execute a program after detaching from laus. It is
also a useful test for this bug. Execute the following on a RHEL 3 U8 system:

laus_detach /bin/ls

Check the audit logs. Note that there is nothing there. You can even try
auditing all ioctls on /dev/audit by adding the following to filter.conf:

tag "FOO"
syscall ioctl = (is-auditdevice(arg0));

Note that this will audit most events, but not detach or resume.

Apply the patch in this bug to laus, and the associated kernel patch. Add the
following line to filter.conf:

event audit-control = always;

Rerun the test. Note that all control events are now audited.

Comment 8 Matthew Booth 2007-03-13 16:55:16 UTC
Created attachment 149949 [details]
Patch against laus-0.1-70RHEL3 to add audit control events (with augrep options and old kernel fix)

Laus will exit immediately if you try to configure an event which isn't
recognised by the running kernel. This means that if a user updated to the new
laus without a kernel update, or they just didn't reboot, laus would fail to

This is an updated patch which causes startup not to fail if the audit-control
event cannot be configured. All other events will continue to cause a failure.

Comment 11 Steve Grubb 2007-03-19 18:38:24 UTC
Built laus-0.1-75RHEL3 for testing purposes.

Comment 15 Red Hat Bugzilla 2007-06-11 18:40:13 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 16 Issue Tracker 2007-06-12 08:59:46 UTC
Resolved. Closing ticket and informing customer.

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 3.9'

This event sent from IssueTracker by jfautley 
 issue 116050