Ubuntu
linux package

Kernel provides incomplete audit information when an existing monitored file is modified

Bug #1439441 reported by Gavin Guo on 2015-04-01
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Gavin Guo
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned
Vivid
Fix Released
Undecided
Gavin Guo
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

[Impact]
The audit system cannot identify the correct path of the monitored file.

The trusty kernel and utopic kernel both suffer the bug.

root@node-7:~# echo "lalala" >> /etc/testfile
"sudo tail -f /var/log/audit/audit.log" results in the following auditd entry:
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c000003e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=7ffff3cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change"
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root"
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229):
the file modified is referenced only by inode : 1582123

With non-buggy kernel (e.g. 3.2.0-72-generic) the output is:
root@atlas:/tmp# echo "lalal" >> /etc/testfile
"sudo tail -f /var/log/audit/audit.log" produces the following output:
Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c000003e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change"
Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp"
Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825):

[Fix]
commit 4a92843601ad0f5067f441d2f0dca55bbe18c076
Author: Paul Moore <email address hidden>
Date: Mon Dec 22 12:27:39 2014 -0500

    audit: correctly record file names with different path name types

    There is a problem with the audit system when multiple audit records
    are created for the same path, each with a different path name type.
    The root cause of the problem is in __audit_inode() when an exact
    match (both the path name and path name type) is not found for a
    path name record; the existing code creates a new path name record,
    but it never sets the path name in this record, leaving it NULL.
    This patch corrects this problem by assigning the path name to these
    newly created records.

    There are many ways to reproduce this problem, but one of the
    easiest is the following (assuming auditd is running):

      # mkdir /root/tmp/test
      # touch /root/tmp/test/567
      # auditctl -a always,exit -F dir=/root/tmp/test
      # touch /root/tmp/test/567

    Afterwards, or while the commands above are running, check the audit
    log and pay special attention to the PATH records. A faulty kernel
    will display something like the following for the file creation:

      type=SYSCALL msg=audit(1416957442.025:93): arch=c000003e syscall=2
        success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
      type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp"
      type=PATH msg=audit(1416957442.025:93): item=0 name="test/"
        inode=401409 ... nametype=PARENT
      type=PATH msg=audit(1416957442.025:93): item=1 name=(null)
        inode=393804 ... nametype=NORMAL
      type=PATH msg=audit(1416957442.025:93): item=2 name=(null)
        inode=393804 ... nametype=NORMAL

    While a patched kernel will show the following:

      type=SYSCALL msg=audit(1416955786.566:89): arch=c000003e syscall=2
        success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
      type=CWD msg=audit(1416955786.566:89): cwd="/root/tmp"
      type=PATH msg=audit(1416955786.566:89): item=0 name="test/"
        inode=401409 ... nametype=PARENT
      type=PATH msg=audit(1416955786.566:89): item=1 name="test/567"
        inode=393804 ... nametype=NORMAL

    This issue was brought up by a number of people, but special credit
    should go to <email address hidden> for reporting the problem along
    with an explanation of the problem and a patch. While the original
    patch did have some problems (see the archive link below), it did
    demonstrate the problem and helped kickstart the fix presented here.

      * https://lkml.org/lkml/2014/9/5/66

    Reported-by: hujianyang <email address hidden>
    Signed-off-by: Paul Moore <email address hidden>
    Acked-by: Richard Guy Briggs <email address hidden>

$ git describe --contains 4a92843601ad0f5067f441d2f0dca55bbe18c076
v3.19-rc2~7^2~1

[Test case]
- Install any one of the kernel from 3.13 ~ 3.19rc2
- sudo apt-get install -y auditd
- sudo vim /etc/audit/audit.rules
-D
-b 1024
-w /etc/ -p wa -k system_configuration_change
-w /usr/bin -p wa -k system_binary_change
-w /usr/sbin -p wa -k system_binary_change
-w /bin/ -p wa -k system_binary_change
-w /usr/bin/sudo -F auid!=nova -F uid!=nova -F auid!=neutron -F uid!=neutron -F auid!=cinder -F uid!=cinder -F auid!=zabbix -F uid!=zabbix -p x -k privilege_escalation
-w /bin/su -p x -k privilege_escalation
-w /bin/mount -p x -k filesystem_modification
-w /bin/umount -p x -k filesystem_modification
-w /bin/chown -p x -k filesystem_modification
-w /bin/chgrp -p x -k filesystem_modification
-w /bin/chmod -p x -k filesystem_modification
-w /var/log -p wra -F auid>10000 -F auid!=4294967295 -k system_logs_access
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S clock_settime -k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S clock_settime -k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S chroot -S mount -S umount2 -k filesystem_modification_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S chroot -S mount -S umount2 -k filesystem_modification_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S kill -S tkill -S tgkill -k process_termination_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S kill -S tkill -S tgkill -k process_termination_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b64 -S execve -k audit_trail
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b32 -S execve -k audit_trail

- sudo vim /etc/audit/auditd.conf
log_format = RAW
priority_boost = 3
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = hostname
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SYSLOG
disk_full_action = SYSLOG
disk_error_action = SYSLOG

- sudo su
- # echo "lalala" >> /etc/testfile
- Open another console: $ sudo tail -f /var/log/audit/audit.log

CVE References

Gavin Guo (mimi0213kimo) on 2015-04-01
Changed in linux (Ubuntu):
assignee: nobody → Gavin Guo (mimi0213kimo)
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1439441

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: precise
Gavin Guo (mimi0213kimo) wrote :

Test of the following kernel fail:
linux-image-3.13.0-031300-generic_3.13.0-031300.201401192235_amd64.deb
linux-image-3.13.0-24-generic
linux-image-3.13.0-46-generic
linux-image-3.15.0-031500-generic_3.15.0-031500.201406131105_amd64.deb
linux-image-3.17.0-031700-generic_3.17.0-031700.201410060605_amd64.deb
linux-image-3.18.0-031800-generic_3.18.0-031800.201412071935_amd64.deb
linux-image-3.18.9-031809-generic_3.18.9-031809.201503080036_amd64.deb

Success:
linux-image-3.2.0-23-generic
linux-image-3.2.0-79-virtual
linux-image-3.19.0-031900rc2-generic_3.19.0-031900rc2.201412290135_amd64.deb
linux-image-3.19.0-031900rc4-generic_3.19.0-031900rc4.201501112135_amd64.deb
linux-image-3.19.0-031900-generic_3.19.0-031900.201502091451_amd64.deb
linux-image-4.0.0-040000rc6-generic_4.0.0-040000rc6.201503291935_amd64.deb

Bisect process:
linux-image-3.13.0-031300-generic_3.13.0-031300.201401192235_amd64.deb - fail
linux-image-3.13.0-24-generic - fail
linux-image-3.13.0-46-generic - fail
linux-image-3.15.0-031500-generic_3.15.0-031500.201406131105_amd64.deb - fail
linux-image-3.17.0-031700-generic_3.17.0-031700.201410060605_amd64.deb - fail
linux-image-3.18.0-031800-generic_3.18.0-031800.201412071935_amd64.deb - fail
linux-image-3.18.9-031809-generic_3.18.9-031809.201503080036_amd64.deb - fail
linux-image-3.19.0-031900rc1-generic_3.19.0-031900rc1.201412210135_amd64.deb - fail
linux-image-3.19.0-031900rc2-generic_3.19.0-031900rc2.201412290135_amd64.deb - success
linux-image-3.19.0-031900rc4-generic_3.19.0-031900rc4.201501112135_amd64.deb - success
linux-image-3.19.0-031900-generic_3.19.0-031900.201502091451_amd64.deb - success
linux-image-4.0.0-040000rc6-generic_4.0.0-040000rc6.201503291935_amd64.deb - success

Tue Mar 31 17:58:38 gavin@gavin-w530:~/os/work_kernel$ git log --pretty=oneline v3.19-rc1..v3.19-rc2 kernel/audit*
66b3f4f0a0fcc197a1e432c3d2134f5c6a5275b9 Merge branch 'upstream' of git://git.infradead.org/users/pcm
041d7b98ffe59c59fdd639931dea7d74f9aa9a59 audit: restore AUDIT_LOGINUID unset ABI
4a92843601ad0f5067f441d2f0dca55bbe18c076 audit: correctly record file names with different path name
54dc77d974a50147d6639dac6f59cb2c29207161 audit: use supplied gfp_mask from audit_buffer in kauditd_se
3640dcfa4fd00cd91d88bb86250bdb496f7070c0 audit: don't attempt to lookup PIDs when changing PID filter

solution:
commit 4a92843601ad0f5067f441d2f0dca55bbe18c076
Author: Paul Moore <email address hidden>
Date: Mon Dec 22 12:27:39 2014 -0500

    audit: correctly record file names with different path name types

Tim Gardner (timg-tpi) on 2015-04-03
Changed in linux (Ubuntu Trusty):
status: New → Fix Committed
Changed in linux (Ubuntu Utopic):
status: New → Fix Committed
Changed in linux (Ubuntu Vivid):
status: Incomplete → Fix Released
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
tags: added: verification-needed-utopic
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-utopic' to 'verification-done-utopic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Gavin Guo (mimi0213kimo) on 2015-04-21
tags: added: verification-done-trusty
removed: verification-needed-trusty
Gavin Guo (mimi0213kimo) on 2015-04-21
tags: added: verification-done-utopic
removed: verification-needed-utopic
Launchpad Janitor (janitor) wrote :
Download full text (15.5 KiB)

This bug was fixed in the package linux - 3.16.0-36.48

---------------
linux (3.16.0-36.48) utopic; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1443946
  * Merged back Ubuntu-3.16.0-34.47 security release

linux (3.16.0-35.46) utopic; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1442324

  [ Andy Whitcroft ]

  * [Config] CONFIG_DEFAULT_MMAP_MIN_ADDR needs to match on armhf and arm64
    - LP: #1418140

  [ Chris J Arges ]

  * [Config] CONFIG_PCIEASPM_DEBUG=y
    - LP: #1398544

  [ dann frazier ]

  * [Config] CONFIG_RTC_DRV_EFI=y on arm64
    - LP: #1441291

  [ Upstream Kernel Changes ]

  * Revert "USB: serial: make bulk_out_size a lower limit"
    - LP: #1441317
  * Revert "i2c: core: Dispose OF IRQ mapping at client removal time"
    - LP: #1441317
  * Revert "net: cx82310_eth: use common match macro"
    - LP: #1441317
  * KEYS: request_key() should reget expired keys rather than give
    EKEYEXPIRED
    - LP: #1124250
  * drm/i915/bdw: 3D_CHICKEN3 has write mask bits
    - LP: #1374389
  * drm/i915: call lpt_init_clock_gating on BDW too
    - LP: #1374389
  * drm/i915/bdw: Apply workarounds in render ring init function
    - LP: #1374389
  * drm/i915/bdw: Cleanup pre prod workarounds
    - LP: #1374389
  * drm/i915: Refactor Broadwell PIPE_CONTROL emission into a helper.
    - LP: #1374389
  * drm/i915: Add the WaCsStallBeforeStateCacheInvalidate:bdw workaround.
    - LP: #1374389
  * drm/i915/bdw: Remove BDW preproduction W/As until C stepping.
    - LP: #1374389
  * drm/i915: Rework GPU reset sequence to match driver load & thaw
    - LP: #1384469
  * drm/ast: switch to using CACHED by default for sysram
    - LP: #1420627
  * drm/ast: Add missing entry to dclk_table[]
    - LP: #1420627
  * drm/ast: Add reduced blanking modes for wide screen mode
    - LP: #1420627
  * drm/ast: Try to use MMIO registers when PIO isn't supported
    - LP: #1420627
  * drm/ast: POST chip at probe time if VGA not enabled
    - LP: #1420627
  * drm/ast: Properly initialize P2A base before using it in
    ast_init_3rdtx()
    - LP: #1420627
  * drm/ast: Don't assume DVO enabled means SIL164 on uninitialized chips
    - LP: #1420627
  * drm/ast: Cleanup analog init code path
    - LP: #1420627
  * audit: correctly record file names with different path name types
    - LP: #1439441
  * of: Create of_console_check() for selecting a console specified in
    /chosen
    - LP: #1438585
  * of: Enable console on serial ports specified by /chosen/stdout-path
    - LP: #1438585
  * of: correct of_console_check()'s return value
    - LP: #1438585
  * of: Add bindings for chosen node, stdout-path
    - LP: #1438585
  * of: add optional options parameter to of_find_node_by_path()
    - LP: #1438585
  * of: support passing console options with stdout-path
    - LP: #1438585
  * netfilter: nf_tables: disable preemption when restoring chain counters
    - LP: #1441317
  * netfilter: nf_tables: fix leaks in error path of nf_tables_newchain()
    - LP: #1441317
  * ipvs: rerouting to local clients is not needed anymore
    - LP: #1441317
  * netfilter: nft_compat: fix module refcount underflow
    - LP: #1441317
  * netf...

Changed in linux (Ubuntu Utopic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (13.4 KiB)

This bug was fixed in the package linux - 3.13.0-51.84

---------------
linux (3.13.0-51.84) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1444141
  * Merged back Ubuntu-3.13.0-49.83 security release

linux (3.13.0-50.82) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1442285

  [ Andy Whitcroft ]

  * [Config] CONFIG_DEFAULT_MMAP_MIN_ADDR needs to match on armhf and arm64
    - LP: #1418140

  [ Chris J Arges ]

  * [Config] CONFIG_PCIEASPM_DEBUG=y
    - LP: #1398544

  [ Upstream Kernel Changes ]

  * KEYS: request_key() should reget expired keys rather than give
    EKEYEXPIRED
    - LP: #1124250
  * audit: correctly record file names with different path name types
    - LP: #1439441
  * KVM: x86: Check for nested events if there is an injectable interrupt
    - LP: #1413540
  * be2iscsi: fix memory leak in error path
    - LP: #1440156
  * block: remove old blk_iopoll_enabled variable
    - LP: #1440156
  * be2iscsi: Fix handling timed out MBX completion from FW
    - LP: #1440156
  * be2iscsi: Fix doorbell format for EQ/CQ/RQ s per SLI spec.
    - LP: #1440156
  * be2iscsi: Fix the session cleanup when reboot/shutdown happens
    - LP: #1440156
  * be2iscsi: Fix scsi_cmnd leakage in driver.
    - LP: #1440156
  * be2iscsi : Fix DMA Out of SW-IOMMU space error
    - LP: #1440156
  * be2iscsi: Fix retrieving MCCQ_WRB in non-embedded Mbox path
    - LP: #1440156
  * be2iscsi: Fix exposing Host in sysfs after adapter initialization is
    complete
    - LP: #1440156
  * be2iscsi: Fix interrupt Coalescing mechanism.
    - LP: #1440156
  * be2iscsi: Fix TCP parameters while connection offloading.
    - LP: #1440156
  * be2iscsi: Fix memory corruption in MBX path
    - LP: #1440156
  * be2iscsi: Fix destroy MCC-CQ before MCC-EQ is destroyed
    - LP: #1440156
  * be2iscsi: add an missing goto in error path
    - LP: #1440156
  * be2iscsi: remove potential junk pointer free
    - LP: #1440156
  * be2iscsi: Fix memory leak in mgmt_set_ip()
    - LP: #1440156
  * be2iscsi: Fix the sparse warning introduced in previous submission
    - LP: #1440156
  * be2iscsi: Fix updating the boot enteries in sysfs
    - LP: #1440156
  * be2iscsi: Fix processing CQE before connection resources are freed
    - LP: #1440156
  * be2iscsi : Fix kernel panic during reboot/shutdown
    - LP: #1440156
  * fixed invalid assignment of 64bit mask to host dma_boundary for scatter
    gather segment boundary limit.
    - LP: #1440156
  * quota: Store maximum space limit in bytes
    - LP: #1441284
  * ip: zero sockaddr returned on error queue
    - LP: #1441284
  * net: rps: fix cpu unplug
    - LP: #1441284
  * ipv6: stop sending PTB packets for MTU < 1280
    - LP: #1441284
  * netxen: fix netxen_nic_poll() logic
    - LP: #1441284
  * udp_diag: Fix socket skipping within chain
    - LP: #1441284
  * ping: Fix race in free in receive path
    - LP: #1441284
  * bnx2x: fix napi poll return value for repoll
    - LP: #1441284
  * net: don't OOPS on socket aio
    - LP: #1441284
  * bridge: dont send notification when skb->len == 0 in rtnl_bridge_notify
    - LP: #1441284
  * ipv4: tcp: get rid of ugly unicast_sock
...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers