Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161322 - auditctl watch function does not work
Summary: auditctl watch function does not work
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 4
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Dave Jones
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-22 13:16 UTC by Anthony Curtas
Modified: 2015-01-04 22:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-05-05 01:14:34 UTC

Attachments (Terms of Use)

Description Anthony Curtas 2005-06-22 13:16:38 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
The audit module "watch" functionality does not appear to be working and gives error messages when attempting to enable it. 

This is a default FC4 installation on an x86_64 system.  No updates as of yet, although at the time of this sumittal, no updates were available for either the kernel or audit packages.

here is a list of the commands with screen io:

[root@fc4-test audit]# service auditd start
Starting auditd:                                           [  OK  ]
[root@fc4-test audit]# auditctl -D
No rules
[root@fc4-test audit]# auditctl -l
No rules
Error sending netlink packet (Invalid argument)

Error sending list request (Invalid argument)
[root@fc4-test audit]# auditctl -w /etc/shadow
Error sending netlink packet (Invalid argument)

Error sending watch insert request (Invalid argument)
Error sending watch to kernel


Here is the audit.log file (which was cleared before the above commands):

type=DAEMON_START msg=audit(1119444982.764:768) auditd start, ver=0.8.2, format=raw, uid=4294967295, auditd pid=4843
type=CONFIG_CHANGE msg=audit(1119444982.967:13083554): audit_enabled=1 old=1 by auid=4294967295
type=CONFIG_CHANGE msg=audit(1119444983.174:13083610): audit_backlog_limit=256 old=256 by auid=4294967295
type=SELINUX_ERR msg=audit(1119445018.854:13089384): SELinux:  unrecognized netlink message type=1009 for sclass=49
type=SYSCALL msg=audit(1119445018.854:13089384): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fffff9861f0 a2=10 a3=0 items=0 pid=4852 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl"
type=SOCKADDR msg=audit(1119445018.854:13089384): saddr=100000000000000000000000
type=SOCKADDR msg=audit(1119445034.692:13092295): saddr=100000000000000000000000
type=SYSCALL msg=audit(1119445034.692:13092295): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fffffdc58b0 a2=34 a3=0 items=0 pid=4856 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl"
type=SELINUX_ERR msg=audit(1119445034.692:13092295): SELinux:  unrecognized netlink message type=1007 for sclass=49

Not shown is the attempt to access the /etc/shadow file from a normal system user.  The changeover to that user is logged into audit.log, but no mention of the /etc/shadow access attempt (and failure) is logged.

SELinux is currently enabled with a targeted policy.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. service auditd start (if stopped)
2. auditctl -D
3. auditctl -w /etc/shadow
4. change to local system user and attempt to open /etc/shadow
5. view log file

Actual Results:  See Description for details.

Expected Results:  Some indication that the watch was set and that an attempt to open the /etc/shadow file was logged in /var/log/audit/audit.log

Additional info:

I'm submitting this bug as a Security issue, since it directly relates to intrusion detection.  However, to my knowledge it does not open up any specific vulnerability.

Comment 1 Steve Grubb 2005-06-22 13:22:55 UTC
This is expected/known. The kernel currently distributed does not support this
functionality. It is currently under development and review. It is likely to be
a few weeks before it is in a FC4 kernel. auditctl has the future functionality
so that one day it all magically works.

Comment 2 Steve Grubb 2005-07-15 17:07:49 UTC
I'm changing the status from security to normal as it is functionality that is
waiting for the kernel to catch up. New audit 0.9.19 packages were put into FC4
testing and rawhide which gives better error messages regarding file system
watches. Please give it a try. File system watch code has been presented on
lkml, so we are slightly closer to putting that capability into fedora kernels,
but its not there yet.

Comment 3 Steve Grubb 2005-08-17 12:19:15 UTC
We are still waiting for the kernel to catch up with user space.

Comment 4 Dave Jones 2005-09-30 06:04:32 UTC
Mass update to all FC4 bugs:

An update has been released (2.6.13-1.1526_FC4) which rebases to a new upstream
kernel ( As there were ~3500 changes upstream between this and the
previous kernel, it's possible your bug has been fixed already.

Please retest with this update, and update this bug if necessary.


Comment 5 Dave Jones 2005-11-10 19:00:38 UTC
2.6.14-1.1637_FC4 has been released as an update for FC4.
Please retest with this update, as a large amount of code has been changed in
this release, which may have fixed your problem.

Thank you.

Comment 6 Dave Jones 2006-02-03 05:08:21 UTC
This is a mass-update to all currently open kernel bugs.

A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

Thank you.

Comment 7 John Thacker 2006-05-05 01:14:34 UTC
Closing per previous comment.

Note You need to log in before you can comment on or make changes to this bug.