Kernel provides incomplete audit information when an existing monitored file is modified
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Gavin Guo | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Utopic |
Fix Released
|
Undecided
|
Unassigned | ||
Vivid |
Fix Released
|
Undecided
|
Gavin Guo |
Bug Description
[Impact]
The audit system cannot identify the correct path of the monitored file.
The trusty kernel and utopic kernel both suffer the bug.
root@node-7:~# echo "lalala" >> /etc/testfile
"sudo tail -f /var/log/
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(
the file modified is referenced only by inode : 1582123
With non-buggy kernel (e.g. 3.2.0-72-generic) the output is:
root@atlas:/tmp# echo "lalal" >> /etc/testfile
"sudo tail -f /var/log/
Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(
Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(
Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(
Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(
[Fix]
commit 4a92843601ad0f5
Author: Paul Moore <email address hidden>
Date: Mon Dec 22 12:27:39 2014 -0500
audit: correctly record file names with different path name types
There is a problem with the audit system when multiple audit records
are created for the same path, each with a different path name type.
The root cause of the problem is in __audit_inode() when an exact
match (both the path name and path name type) is not found for a
path name record; the existing code creates a new path name record,
but it never sets the path name in this record, leaving it NULL.
This patch corrects this problem by assigning the path name to these
newly created records.
There are many ways to reproduce this problem, but one of the
easiest is the following (assuming auditd is running):
# mkdir /root/tmp/test
# touch /root/tmp/test/567
# auditctl -a always,exit -F dir=/root/tmp/test
# touch /root/tmp/test/567
Afterwards, or while the commands above are running, check the audit
log and pay special attention to the PATH records. A faulty kernel
will display something like the following for the file creation:
type=SYSCALL msg=audit(
success=yes exit=3 ... comm="touch" exe="/usr/
type=CWD msg=audit(
type=PATH msg=audit(
type=PATH msg=audit(
type=PATH msg=audit(
While a patched kernel will show the following:
type=SYSCALL msg=audit(
success=yes exit=3 ... comm="touch" exe="/usr/
type=CWD msg=audit(
type=PATH msg=audit(
type=PATH msg=audit(
This issue was brought up by a number of people, but special credit
should go to <email address hidden> for reporting the problem along
with an explanation of the problem and a patch. While the original
patch did have some problems (see the archive link below), it did
demonstrate the problem and helped kickstart the fix presented here.
* https:/
Reported-by: hujianyang <email address hidden>
Signed-off-by: Paul Moore <email address hidden>
Acked-by: Richard Guy Briggs <email address hidden>
$ git describe --contains 4a92843601ad0f5
v3.19-rc2~7^2~1
[Test case]
- Install any one of the kernel from 3.13 ~ 3.19rc2
- sudo apt-get install -y auditd
- sudo vim /etc/audit/
-D
-b 1024
-w /etc/ -p wa -k system_
-w /usr/bin -p wa -k system_
-w /usr/sbin -p wa -k system_
-w /bin/ -p wa -k system_
-w /usr/bin/sudo -F auid!=nova -F uid!=nova -F auid!=neutron -F uid!=neutron -F auid!=cinder -F uid!=cinder -F auid!=zabbix -F uid!=zabbix -p x -k privilege_
-w /bin/su -p x -k privilege_
-w /bin/mount -p x -k filesystem_
-w /bin/umount -p x -k filesystem_
-w /bin/chown -p x -k filesystem_
-w /bin/chgrp -p x -k filesystem_
-w /bin/chmod -p x -k filesystem_
-w /var/log -p wra -F auid>10000 -F auid!=4294967295 -k system_logs_access
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S clock_settime -k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S clock_settime -k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S chroot -S mount -S umount2 -k filesystem_
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S chroot -S mount -S umount2 -k filesystem_
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S kill -S tkill -S tgkill -k process_
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S kill -S tkill -S tgkill -k process_
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b64 -S execve -k audit_trail
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b32 -S execve -k audit_trail
- sudo vim /etc/audit/
log_format = RAW
priority_boost = 3
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = hostname
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_
disk_full_action = SYSLOG
disk_error_action = SYSLOG
- sudo su
- # echo "lalala" >> /etc/testfile
- Open another console: $ sudo tail -f /var/log/
Changed in linux (Ubuntu): | |
assignee: | nobody → Gavin Guo (mimi0213kimo) |
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Utopic): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Vivid): | |
status: | Incomplete → Fix Released |
tags: |
added: verification-done-trusty removed: verification-needed-trusty |
tags: |
added: verification-done-utopic removed: verification-needed-utopic |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1439441
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.