Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.0.0
Component/s: audit
Labels:
- MigratedToJIRA
- Patch

Fixed in Build:
audit-3.1.5-1.el9
Regression:
None
Severity:
Important
Epic Link:
SECENGSP-5641
sprint_count:
2

Pool Team:

rhel-sst-security-special-projects
Sub-System Group:

ssg_security

Internal Target Milestone:
26
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
SECENGSP Cycle 6, SECENGSP Cycle 7

Acceptance Criteria:
- automated test will PASS
Preliminary Testing:
Pass
Testable Builds:
https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=4395374
Errata Link:
https://errata.engineering.redhat.com/advisory/137108
Test Coverage:
None

Release Note Type:
Bug Fix
Release Note Text:

Hide
.Audit rules for `/proc` are now correctly loaded during the boot

Before this update, the system failed to load Audit watch rules for the `/proc` directory during the boot phase. Consequently, the administrator had to load the rules manually later, and the rules were not applied during the boot. The bug has been fixed, and the system now loads the Audit rules related to `/proc` during the boot phase.

Show
.Audit rules for `/proc` are now correctly loaded during the boot Before this update, the system failed to load Audit watch rules for the `/proc` directory during the boot phase. Consequently, the administrator had to load the rules manually later, and the rules were not applied during the boot. The bug has been fixed, and the system now loads the Audit rules related to `/proc` during the boot phase.
Release Note Status:
Done

Experience:
Architecture:

x86_64
Bugzilla Bug:
RHBZ: 2140726

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:

Audit rules for "-F dir=/proc" fails to load on boot, the rules works if loaded manually later.
This behavior differs from RHEL 7 (the rules for /proc are loaded correctly on boot)

Version-Release number of selected component (if applicable):

audit-3.0.7-101.el9_0.2.x86_64

How reproducible:

Always

Steps to Reproduce:
1. # vi /etc/audit/rules.d/test.rules
-a never,exit -F arch=b32 -F dir=/proc -S fchmodat
2. # reboot
3. # auditctl -l

Actual results:

auditctl -l
No rules.

Expected results:

auditctl -l
-a never,exit -F arch=b32 -S fchmodat -F dir=/proc

Additional info:

The list of syscalls is actually quite extensive, the same behavior occurs with any syscall we tested, it does not occur if we use a different "-F dir=" value, this behavior is only present on /proc so far.
Another detail, if we run auditd with -f, we can see below log record on system boot's journal:

auditd[xxx]: type=CONFIG_CHANGE msg=audit(xxxxxxxxxx.xxx:xxx): op=remove_rule dir="/proc" key=(null) list=4 res=1

Juan Gamba
Principal Technical Support Engineer
Red Hat - Support Delivery

external trackers

Github linux-audit/audit-userspace/commit/2f631c32

Red Hat Customer Portal 03354606

Red Hat Issue Tracker RHELPLAN-138562

Red Hat Issue Tracker SECENGSP-4866

links to

RHBA-2024:137108 audit update

TCMS test case 617714

mentioned on

Merge request - Test coverage for RHEL-5197, RHEL-5186, RHEL-40110, RHEL-40243