[Kernel-packages] [Bug 1158500] Re: auditd fails to add rules when used in precise with -lts-quantal kernel

Tyler Hicks Thu, 06 Feb 2014 14:12:39 -0800

I built Saucy's audit package for Precise and ran it under the -lts-
saucy kernel. When running the auditctl command in the bug description,
it emitted the following warning:


  Warning - entry rules deprecated, changing to exit rule

Starting with kernel version 3.3, the audit kernel code refuses
entry,always rules. Starting with audit version 2.0, auditctl converts
entry,always rules to exit,always rules.

The fix seems to be to backport upstream audit commits 300, 301, and 307
to Precise's audit package to make auditctl convert entry,always rules
to exit,always.

** Changed in: audit (Ubuntu)
   Importance: Undecided => Medium

** Changed in: audit (Ubuntu)
       Status: Confirmed => Triaged

** Changed in: audit (Ubuntu)
     Assignee: (unassigned) => Tyler Hicks (tyhicks)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1158500

Title:
  auditd fails to add rules when used in precise with -lts-quantal
  kernel

Status in “audit” package in Ubuntu:
  Triaged
Status in “linux” package in Ubuntu:
  Invalid

Bug description:
  auditctl fails to add rules when run with the -lts-quantal kernel

  Eample:
  # auditctl -l
  No rules
  # auditctl -a entry,always -F arch=b64 -S execve -k exec
  Error sending add rule data request (Invalid argument)
  #

  Looks like the syscall table needs updating, it works with the 3.2.0
  kernel.

  Tagging this as a security vulnerability because it fails fairly
  quietly and may lead to high security systems not having required
  auditing (like PCI compliant systems), I only noticed by looking in
  /var/log/boot.log.

  Description:  Ubuntu 12.04.2 LTS
  Release:      12.04

  ii  auditd                             1.7.18-1ubuntu1                    
User space tools for security auditing
  ii  linux-image-generic-lts-quantal    3.5.0.26.33                        
Generic Linux kernel image

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1158500/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1158500] Re: auditd fails to add rules when used in precise with -lts-quantal kernel

Reply via email to