Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-62333

ausearch checkpoint code incorrectly records an inode value as a 32 bit quantity

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.0
    • rhel-8.1.0
    • audit
    • rhel-sst-security-special-projects
    • ssg_security
    • 26
    • 1
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SECENGSP Cycle 14
    • Unspecified Release Note Type - Unknown
    • All
    • None

      What were you trying to do that didn't work?

      Running ausearch with the checkpoint option where the inodes for files in /var/log/auditd are greater than an unsigned 32 bit value.

      What is the impact of this issue to you?

      Checkpointing of audit fails and impacts my ability to send auditd events to a central SIEM.

      Please provide the package NVR for which the bug is seen:

      How reproducible is this bug?:

      Always, once the inodes for files in /var/log/audit exceed unsigned 32 bit values.

      Steps to reproduce

      1. Ensure file system holding /var/log/audit creates inodes with values > 2^32
      2. Run ausearch with checkpoint option and look at the inode value stored in the checkpoint file verses the actual inode value of the last file used in /var/log/audit
      3.  

      Expected results

      The correct inode is stored in the checkpoint file

      Actual results

      An incorrect inode is stored in the checkpoint file.

              rh-ee-alakatos Attila Lakatos
              burn.alting1@defence.gov.au Burn Alting (Inactive)
              Sergio Correia Sergio Correia
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: