Bug from audit.81 -> audit.82 & higher

Michael C Thompson mcthomps at us.ibm.com
Tue Aug 2 21:03:17 UTC 2005 




           Summary: Break in audit filtering on s390x (between audit.81 and
                    audit.82)
            Vendor: Red Hat Linux
           Version: RHEL4_U1
          Platform: zSeries
      Architecture: S390-64
Submitting Project: Bluefortress
       Owning Team: LTC
     Required Date: 0000-00-00 00:00:00
            Status: OPEN
          Severity: high
          Priority: P2
         Component: Kernel
             Owner: bugrobot at linux.ibm.com
       SubmittedBy: mcthomps at us.ibm.com
         QAContact: rosalesa at us.ibm.com


Problem description:
Somewhere in the changes from the audit.81 kernel to the audit.82 kernel
(and up
to audit.84), there is a break in filtering rules on the s390x platform.


Current patches:
audit.81 kernel & higher (varies for testing purposes)

uname -a
Linux lnxltc08 2.6.9-11.EL.audit.82 #1 SMP Fri Jul 29 10:53:17 EDT 2005
s390x
s390x s390x GNU/Linux


Hardware Environment
Machine type: s390x, z/VM 5
Cpu type: IBM/S390


The bug is reproducible, the outcome is consistant for all kernels, on the
81
kernel the record is generated, under the 82+ kernel it is not.

The following audit ruleset will cause no problems under the audit.81
kernel:
auditctl -a entry,always -S open -F a2=448 -F exit!=0 -F auid=500 -F euid=0

However, when this same ruleset is used under the audit.82 kernel (till
audit.84
- highest at the time of writing), the record is not generated.

In order to cause a record to be generated, we create a file as root, and
then
attempt to open that file as root. With the ruleset as exit,always, this
will
work under all kernels. When the rule is entry,always and we drop the
filter on
a2 (-F a2=448), then the rule will pass and the record is generated under
all
kernels.

In summary: when the kernel is > audit.82, -a entry,always, and -F a2=448
is
included, then the record is not generated. However, changing 1 of these 3
will
result in the record's generation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050802/67b0269b/attachment.htm>

More information about the Linux-audit mailing list