8:32 a.m.
Hi,
There has been one issue I am facing with auditing on RHEL 7.1. It is the same one as
described here -
https://www.redhat.com/archives/linux-audit/2015-January/msg00045.html
https://bugzilla.redhat.com/show_bug.cgi?id=1155208
Can you please comment on this whether it has been fixed or not?
Thanks
-----Original Message-----
From: Richard Guy Briggs [mailto:rgb@redhat.com]
Sent: Wednesday, February 24, 2016 7:59 PM
To: Sarthak Jain <Sarthak.Jain(a)microfocus.com>
Subject: Re: Regarding Auditing on RHEL7.1
On 16/02/24, Sarthak Jain wrote:
Thank you Richard for replying and giving the proper contact. But you
know in meanwhile, I came across this known bug -
https://www.redhat.com/archives/linux-audit/2015-January/msg00045.html
https://bugzilla.redhat.com/show_bug.cgi?id=1155208
Can you tell me whether it is under progress or it has been fixed?
You are welcome to ask on the list and Cc: me if you want my attention.
Please keep this public unless you have a service contract.
Thanks
-----Original Message-----
From: Richard Guy Briggs [mailto:rgb@redhat.com]
Sent: Wednesday, February 24, 2016 1:13 PM
To: Sarthak Jain <Sarthak.Jain(a)microfocus.com>
Subject: Re: Regarding Auditing on RHEL7.1
On 16/02/24, Sarthak Jain wrote:
> Hi Richard,
Hi Sarthak,
> I am Sarthak Jain working in MicroFocus. I want your small help to
> clarify one of my doubt regarding the kernel auditing on RHEL 7.1. I
> hope you are the right person to contact. It will just 2 min (max
> :P) to go through the problem.
For general audit-related questions, please use the linux-audit(a)redhat.com mailing list.
For RHEL support questions, please contact your Red Hat service contract manager.
> Assumption: Ideally, if we change the configuration file (for ex- /etc/hosts), we
should be getting audit events for it.
>
> Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). If we
modify this file, then audit events are coming as attached in file - 'file1.txt'.
>
> Problem: Let say if we change the permissions of the '/etc/hosts' to
(rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" event at all.
I have attached the file - 'file2.txt' for your reference. Can you please clarify
this ? Is it a kernel level bug?
>
> I would be greatly thankful to you if you could please comment on this.
>
> Thanks.
>
>
> ----
> time->Wed Feb 24 00:44:20 2016
> type=CONFIG_CHANGE msg=audit(1456296260.392:3012733752): auid=0
> ses=612921 op="updated rules" path="/etc/hosts" key=(null)
list=4
> res=1
> ----
> time->Wed Feb 24 00:44:20 2016
> type=PATH msg=audit(1456296260.392:3012733753): item=3
> name="/etc/hosts~" inode=133015 dev=fd:01 mode=0100700 ouid=0 ogid=0
> rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=CREATE
> type=PATH msg=audit(1456296260.392:3012733753): item=2
> name="/etc/hosts" inode=133015 dev=fd:01 mode=0100700 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=DELETE type=PATH
msg=audit(1456296260.392:3012733753): item=1 name="/etc/" inode=130309 dev=fd:01
mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=PATH msg=audit(1456296260.392:3012733753): item=0 name="/etc/" inode=130309
dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
objtype=PARENT type=CWD msg=audit(1456296260.392:3012733753): cwd="/root"
> type=SYSCALL msg=audit(1456296260.392:3012733753): arch=c000003e
> syscall=82 success=yes exit=0 a0=1d5c730 a1=1d82ab0
> a2=fffffffffffffea0 a3=7fffcc152380 items=4 ppid=7009 pid=7575
> auid=0
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
> ses=612921 comm="vi" exe="/usr/bin/vi"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> ----
> time->Wed Feb 24 00:44:20 2016
> type=CONFIG_CHANGE msg=audit(1456296260.393:3012733754): auid=0
> ses=612921 op="updated rules" path="/etc/hosts" key=(null)
list=4
> res=1
> ----
> time->Wed Feb 24 00:44:20 2016
> type=PATH msg=audit(1456296260.393:3012733755): item=1
> name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0
> rdev=00:00 obj=unconfined_u:object_r:net_conf_t:s0 objtype=CREATE type=PATH
msg=audit(1456296260.393:3012733755): item=0 name="/etc/" inode=130309 dev=fd:01
mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=CWD msg=audit(1456296260.393:3012733755): cwd="/root"
> type=SYSCALL msg=audit(1456296260.393:3012733755): arch=c000003e
> syscall=2 success=yes exit=3 a0=1d5c730 a1=241 a2=1c0 a3=0 items=2
> ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> ----
> time->Wed Feb 24 00:44:20 2016
> type=PATH msg=audit(1456296260.413:3012733759): item=0
> name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0
rdev=00:00 obj=unconfined_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD
msg=audit(1456296260.413:3012733759): cwd="/root"
> type=SYSCALL msg=audit(1456296260.413:3012733759): arch=c000003e
> syscall=188 success=yes exit=0 a0=1d5c730 a1=7fc4923b877e a2=1d81fd0
> a3=20 items=1 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi"
> exe="/usr/bin/vi"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> ----
> time->Wed Feb 24 00:44:20 2016
> type=PATH msg=audit(1456296260.413:3012733761): item=0
> name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD
msg=audit(1456296260.413:3012733761): cwd="/root"
> type=SYSCALL msg=audit(1456296260.413:3012733761): arch=c000003e
> syscall=90 success=yes exit=0 a0=1d5c730 a1=81c0 a2=0 a3=20 items=1
> ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> ----
> time->Wed Feb 24 00:44:20 2016
> type=PATH msg=audit(1456296260.414:3012733762): item=0
> name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD
msg=audit(1456296260.414:3012733762): cwd="/root"
> type=SYSCALL msg=audit(1456296260.414:3012733762): arch=c000003e
> syscall=188 success=yes exit=0 a0=1d5c730 a1=7fc491f71ddf a2=1d81c30
> a3=1c items=1 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi"
> exe="/usr/bin/vi"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> ----
> time->Wed Feb 24 00:45:55 2016
> type=PATH msg=audit(1456296355.292:3012759691): item=0
> name="/etc/hosts~" inode=133015 dev=fd:01 mode=0100666 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD
msg=audit(1456296355.292:3012759691): cwd="/root"
> type=SYSCALL msg=audit(1456296355.292:3012759691): arch=c000003e syscall=132
success=yes exit=0 a0=2245a70 a1=7fffdf2b4390 a2=2000 a3=7fffdf2b4050 items=1 ppid=7009
pid=7704 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=612921 comm="vi" exe="/usr/bin/vi"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="9980284E037547A8A9364B62ACB360C6"
> ----
> time->Wed Feb 24 00:45:55 2016
> type=PATH msg=audit(1456296355.303:3012759696): item=0
> name="/etc/hosts" inode=133022 dev=fd:01 mode=0100666 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD
msg=audit(1456296355.303:3012759696): cwd="/root"
> type=SYSCALL msg=audit(1456296355.303:3012759696): arch=c000003e
> syscall=90 success=yes exit=0 a0=221f730 a1=81b6 a2=0
> a3=7fffdf2b4050
> items=1 ppid=7009 pid=7704 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi"
exe="/usr/bin/vi"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com> Senior Software Engineer,
Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote,
Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt:
+1.613.693.0684x3545
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
1:14 p.m.
New subject: Regarding Auditing on RHEL7.1
On Wed, Feb 24, 2016 at 9:32 AM, Sarthak Jain
<Sarthak.Jain(a)microfocus.com> wrote:
Hi,
There has been one issue I am facing with auditing on RHEL 7.1. It is the same one as
described here -
https://www.redhat.com/archives/linux-audit/2015-January/msg00045.html
https://bugzilla.redhat.com/show_bug.cgi?id=1155208
Can you please comment on this whether it has been fixed or not?
The issue has been fixed in upstream kernels as well as in RHEL-7.
--
paul moore
www.paul-moore.com
12:37 a.m.
New subject: Regarding Auditing on RHEL7.1
Hi Paul,
Well thanks for replying back. But as per my knowledge, RHEL 7 is still facing the issue.
Even RHEL 7.1 also.
Assumption : If we modify the configuration file (/etc/hosts), then audit log event will
come.
Scenario 1: If we modify the configuration file (/etc/hosts) when the permission is
(rw-r--r--), then audit log event is coming properly as mentioned below -
------
type=SYSCALL msg=audit(1456467914.581:50455): arch=c000003e syscall=82 success=yes exit=0
a0=8db730 a1=903980 a2=fffffffffffffea0 a3=7fffe734aee0 items=4 ppid=27080 pid=29188
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6667
comm="vi" exe="/usr/bin/vi"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1456467914.581:50455): cwd="/root"
type=PATH msg=audit(1456467914.581:50455): item=0 name="/etc/" inode=67108993
dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
objtype=PARENT
type=PATH msg=audit(1456467914.581:50455): item=1 name="/etc/" inode=67108993
dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
objtype=PARENT
type=PATH msg=audit(1456467914.581:50455): item=2 name="/etc/hosts"
inode=70206961 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:net_conf_t:s0 objtype=DELETE
type=PATH msg=audit(1456467914.581:50455): item=3 name="/etc/hosts~"
inode=70206961 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:net_conf_t:s0 objtype=CREATE
--------
Scenario 2: Let's say if we modify the file when the permissions for file are
(rw-rw-rw-), then audit log event is coming as mentioned below -
----------
type=SYSCALL msg=audit(1456466535.398:50437): arch=c000003e syscall=2 success=yes exit=3
a0=10d7730 a1=241 a2=1b6 a3=0 items=3 ppid=27080 pid=27328 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6667 comm="vi"
exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
type=CWD msg=audit(1456466535.398:50437): cwd="/root"
type=PATH msg=audit(1456466535.398:50437): item=0 name="/etc/" inode=67108993
dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
objtype=PARENT
type=PATH msg=audit(1456466535.398:50437): item=1 name=(null) inode=70206961 dev=fd:00
mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=PATH msg=audit(1456466535.398:50437): item=2 name=(null) inode=70206961 dev=fd:00
mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
-----------
As you can see, in second scenario, the name is coming "null". As mentioned in
the previous message, I think it is a kernel level bug. As I saw the conversation on this
link - https://www.redhat.com/archives/linux-audit/2015-January/msg00016.html , I guess it
has been targeted for kernel v3.19-rcX? Or if it has been fixed for RHEL 7, are there any
patches which we need to apply?
Thanks
-----Original Message-----
From: Paul Moore [mailto:paul@paul-moore.com]
Sent: Friday, February 26, 2016 12:44 AM
To: Sarthak Jain <Sarthak.Jain(a)microfocus.com>
Cc: linux-audit(a)redhat.com; Richard Guy Briggs <rgb(a)redhat.com>
Subject: Re: Regarding Auditing on RHEL7.1
On Wed, Feb 24, 2016 at 9:32 AM, Sarthak Jain <Sarthak.Jain(a)microfocus.com> wrote:
Hi,
There has been one issue I am facing with auditing on RHEL 7.1. It is
the same one as described here -
https://www.redhat.com/archives/linux-audit/2015-January/msg00045.html
https://bugzilla.redhat.com/show_bug.cgi?id=1155208
Can you please comment on this whether it has been fixed or not?
The issue has been fixed in upstream kernels as well as in RHEL-7.
--
paul moore
www.paul-moore.com
8:57 a.m.
New subject: Regarding Auditing on RHEL7.1
On Fri, Feb 26, 2016 at 1:37 AM, Sarthak Jain
<Sarthak.Jain(a)microfocus.com> wrote:
Hi Paul,
Well thanks for replying back. But as per my knowledge, RHEL 7 is still facing the issue.
Even RHEL 7.1 also.
Which RHEL-7.x kernel version are you using?
While not explicitly mentioned in the release notes, the issue you are
describing is fixed in the errata below. If you have any further RHEL
specific questions I suggest contacting Red Hat support, this mailing
list is for upstream development and support.
* https://rhn.redhat.com/errata/RHSA-2015-2152.html
--
paul moore
www.paul-moore.com
3221
days inactive
3223
days old
linux-audit@lists.linux-audit.osci.io
3 comments
2 participants
participants (2)
-
Paul Moore -
Sarthak Jain