[Kernel-packages] [Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
This bug was fixed in the package linux - 3.16.0-36.48 --- linux (3.16.0-36.48) utopic; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1443946 * Merged back Ubuntu-3.16.0-34.47 security release linux (3.16.0-35.46) utopic; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1442324 [ Andy Whitcroft ] * [Config] CONFIG_DEFAULT_MMAP_MIN_ADDR needs to match on armhf and arm64 - LP: #1418140 [ Chris J Arges ] * [Config] CONFIG_PCIEASPM_DEBUG=y - LP: #1398544 [ dann frazier ] * [Config] CONFIG_RTC_DRV_EFI=y on arm64 - LP: #1441291 [ Upstream Kernel Changes ] * Revert "USB: serial: make bulk_out_size a lower limit" - LP: #1441317 * Revert "i2c: core: Dispose OF IRQ mapping at client removal time" - LP: #1441317 * Revert "net: cx82310_eth: use common match macro" - LP: #1441317 * KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED - LP: #1124250 * drm/i915/bdw: 3D_CHICKEN3 has write mask bits - LP: #1374389 * drm/i915: call lpt_init_clock_gating on BDW too - LP: #1374389 * drm/i915/bdw: Apply workarounds in render ring init function - LP: #1374389 * drm/i915/bdw: Cleanup pre prod workarounds - LP: #1374389 * drm/i915: Refactor Broadwell PIPE_CONTROL emission into a helper. - LP: #1374389 * drm/i915: Add the WaCsStallBeforeStateCacheInvalidate:bdw workaround. - LP: #1374389 * drm/i915/bdw: Remove BDW preproduction W/As until C stepping. - LP: #1374389 * drm/i915: Rework GPU reset sequence to match driver load & thaw - LP: #1384469 * drm/ast: switch to using CACHED by default for sysram - LP: #1420627 * drm/ast: Add missing entry to dclk_table[] - LP: #1420627 * drm/ast: Add reduced blanking modes for wide screen mode - LP: #1420627 * drm/ast: Try to use MMIO registers when PIO isn't supported - LP: #1420627 * drm/ast: POST chip at probe time if VGA not enabled - LP: #1420627 * drm/ast: Properly initialize P2A base before using it in ast_init_3rdtx() - LP: #1420627 * drm/ast: Don't assume DVO enabled means SIL164 on uninitialized chips - LP: #1420627 * drm/ast: Cleanup analog init code path - LP: #1420627 * audit: correctly record file names with different path name types - LP: #1439441 * of: Create of_console_check() for selecting a console specified in /chosen - LP: #1438585 * of: Enable console on serial ports specified by /chosen/stdout-path - LP: #1438585 * of: correct of_console_check()'s return value - LP: #1438585 * of: Add bindings for chosen node, stdout-path - LP: #1438585 * of: add optional options parameter to of_find_node_by_path() - LP: #1438585 * of: support passing console options with stdout-path - LP: #1438585 * netfilter: nf_tables: disable preemption when restoring chain counters - LP: #1441317 * netfilter: nf_tables: fix leaks in error path of nf_tables_newchain() - LP: #1441317 * ipvs: rerouting to local clients is not needed anymore - LP: #1441317 * netfilter: nft_compat: fix module refcount underflow - LP: #1441317 * netfilter: xt_socket: fix a stack corruption bug - LP: #1441317 * ipvs: add missing ip_vs_pe_put in sync code - LP: #1441317 * flowcache: Fix kernel panic in flow_cache_flush_task - LP: #1441317 * pktgen: fix UDP checksum computation - LP: #1441317 * rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY - LP: #1441317 * tcp: make sure skb is not shared before using skb_get() - LP: #1441317 * ipv6: fix ipv6_cow_metrics for non DST_HOST case - LP: #1441317 * rtnetlink: call ->dellink on failure when ->newlink exists - LP: #1441317 * gen_stats.c: Duplicate xstats buffer for later use - LP: #1441317 * ipv4: ip_check_defrag should correctly check return value of skb_copy_bits - LP: #1441317 * ipv4: ip_check_defrag should not assume that skb_network_offset is zero - LP: #1441317 * net: phy: Fix verification of EEE support in phy_init_eee - LP: #1441317 * ematch: Fix auto-loading of ematch modules. - LP: #1441317 * openvswitch: Fix net exit. - LP: #1441317 * net: reject creation of netdev names with colons - LP: #1441317 * team: fix possible null pointer dereference in team_handle_frame - LP: #1441317 * net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg - LP: #1441317 * macvtap: make sure neighbour code can push ethernet header - LP: #1441317 * usb: plusb: Add support for National Instruments host-to-host cable - LP: #1441317 * udp: only allow UFO for packets from SOCK_DGRAM sockets - LP: #1441317 * net: ping: Return EAFNOSUPPORT when appropriate. - LP: #1441317 * team: don't traverse port list using rcu in team_set_mac_address - LP: #1441317 * ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec - LP: #1441317 *
[Kernel-packages] [Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
This bug was fixed in the package linux - 3.13.0-51.84 --- linux (3.13.0-51.84) trusty; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1444141 * Merged back Ubuntu-3.13.0-49.83 security release linux (3.13.0-50.82) trusty; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1442285 [ Andy Whitcroft ] * [Config] CONFIG_DEFAULT_MMAP_MIN_ADDR needs to match on armhf and arm64 - LP: #1418140 [ Chris J Arges ] * [Config] CONFIG_PCIEASPM_DEBUG=y - LP: #1398544 [ Upstream Kernel Changes ] * KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED - LP: #1124250 * audit: correctly record file names with different path name types - LP: #1439441 * KVM: x86: Check for nested events if there is an injectable interrupt - LP: #1413540 * be2iscsi: fix memory leak in error path - LP: #1440156 * block: remove old blk_iopoll_enabled variable - LP: #1440156 * be2iscsi: Fix handling timed out MBX completion from FW - LP: #1440156 * be2iscsi: Fix doorbell format for EQ/CQ/RQ s per SLI spec. - LP: #1440156 * be2iscsi: Fix the session cleanup when reboot/shutdown happens - LP: #1440156 * be2iscsi: Fix scsi_cmnd leakage in driver. - LP: #1440156 * be2iscsi : Fix DMA Out of SW-IOMMU space error - LP: #1440156 * be2iscsi: Fix retrieving MCCQ_WRB in non-embedded Mbox path - LP: #1440156 * be2iscsi: Fix exposing Host in sysfs after adapter initialization is complete - LP: #1440156 * be2iscsi: Fix interrupt Coalescing mechanism. - LP: #1440156 * be2iscsi: Fix TCP parameters while connection offloading. - LP: #1440156 * be2iscsi: Fix memory corruption in MBX path - LP: #1440156 * be2iscsi: Fix destroy MCC-CQ before MCC-EQ is destroyed - LP: #1440156 * be2iscsi: add an missing goto in error path - LP: #1440156 * be2iscsi: remove potential junk pointer free - LP: #1440156 * be2iscsi: Fix memory leak in mgmt_set_ip() - LP: #1440156 * be2iscsi: Fix the sparse warning introduced in previous submission - LP: #1440156 * be2iscsi: Fix updating the boot enteries in sysfs - LP: #1440156 * be2iscsi: Fix processing CQE before connection resources are freed - LP: #1440156 * be2iscsi : Fix kernel panic during reboot/shutdown - LP: #1440156 * fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit. - LP: #1440156 * quota: Store maximum space limit in bytes - LP: #1441284 * ip: zero sockaddr returned on error queue - LP: #1441284 * net: rps: fix cpu unplug - LP: #1441284 * ipv6: stop sending PTB packets for MTU < 1280 - LP: #1441284 * netxen: fix netxen_nic_poll() logic - LP: #1441284 * udp_diag: Fix socket skipping within chain - LP: #1441284 * ping: Fix race in free in receive path - LP: #1441284 * bnx2x: fix napi poll return value for repoll - LP: #1441284 * net: don't OOPS on socket aio - LP: #1441284 * bridge: dont send notification when skb->len == 0 in rtnl_bridge_notify - LP: #1441284 * ipv4: tcp: get rid of ugly unicast_sock - LP: #1441284 * ppp: deflate: never return len larger than output buffer - LP: #1441284 * net: sctp: fix passing wrong parameter header to param_type2af in sctp_process_param - LP: #1441284 * ARM: pxa: add regulator_has_full_constraints to corgi board file - LP: #1441284 * ARM: pxa: add regulator_has_full_constraints to poodle board file - LP: #1441284 * ARM: pxa: add regulator_has_full_constraints to spitz board file - LP: #1441284 * hx4700: regulator: declare full constraints - LP: #1441284 * HID: input: fix confusion on conflicting mappings - LP: #1441284 * HID: fixup the conflicting keyboard mappings quirk - LP: #1441284 * megaraid_sas: disable interrupt_mask before enabling hardware interrupts - LP: #1441284 * PCI: Generate uppercase hex for modalias var in uevent - LP: #1441284 * usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN - LP: #1441284 * tty/serial: at91: enable peripheral clock before accessing I/O registers - LP: #1441284 * tty/serial: at91: fix error handling in atmel_serial_probe() - LP: #1441284 * axonram: Fix bug in direct_access - LP: #1441284 * ksoftirqd: Enable IRQs and call cond_resched() before poking RCU - LP: #1441284 * TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev - LP: #1441284 * char: tpm: Add missing error check for devm_kzalloc - LP: #1441284 * tpm_tis: verify interrupt during init - LP: #1441284 * tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma - LP: #1441284 * tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send - LP: #1441284 * tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO - LP: #1441284 * mmc: sdhci-pxa
[Kernel-packages] [Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
** Tags removed: verification-needed-utopic ** Tags added: verification-done-utopic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1439441 Title: Kernel provides incomplete audit information when an existing monitored file is modified Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: [Impact] The audit system cannot identify the correct path of the monitored file. The trusty kernel and utopic kernel both suffer the bug. root@node-7:~# echo "lalala" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" results in the following auditd entry: <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c03e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=73cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229): the file modified is referenced only by inode : 1582123 With non-buggy kernel (e.g. 3.2.0-72-generic) the output is: root@atlas:/tmp# echo "lalal" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" produces the following output: Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c03e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change" Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp" Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825): [Fix] commit 4a92843601ad0f5067f441d2f0dca55bbe18c076 Author: Paul Moore Date: Mon Dec 22 12:27:39 2014 -0500 audit: correctly record file names with different path name types There is a problem with the audit system when multiple audit records are created for the same path, each with a different path name type. The root cause of the problem is in __audit_inode() when an exact match (both the path name and path name type) is not found for a path name record; the existing code creates a new path name record, but it never sets the path name in this record, leaving it NULL. This patch corrects this problem by assigning the path name to these newly created records. There are many ways to reproduce this problem, but one of the easiest is the following (assuming auditd is running): # mkdir /root/tmp/test # touch /root/tmp/test/567 # auditctl -a always,exit -F dir=/root/tmp/test # touch /root/tmp/test/567 Afterwards, or while the commands above are running, check the audit log and pay special attention to the PATH records. A faulty kernel will display something like the following for the file creation: type=SYSCALL msg=audit(1416957442.025:93): arch=c03e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr/bin/touch" type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp" type=PATH msg=audit(1416957442.025:93): item=0 name="test/" inode=401409 ... nametype=PARENT type=PATH msg=audit(1416957442.025:93): item=1 name=(null) inode=393804 ... nametype=NORMAL type=PATH msg=audit(1416957442.025:93): item=2 name=(null) inode=393804 ... nametype=NORMAL While a patched kernel will show the following: type=SYSCALL msg=audit(1416955786.566:89): arch=c03e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr/bin/
[Kernel-packages] [Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
** Tags removed: verification-needed-trusty ** Tags added: verification-done-trusty -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1439441 Title: Kernel provides incomplete audit information when an existing monitored file is modified Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: [Impact] The audit system cannot identify the correct path of the monitored file. The trusty kernel and utopic kernel both suffer the bug. root@node-7:~# echo "lalala" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" results in the following auditd entry: <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c03e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=73cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229): the file modified is referenced only by inode : 1582123 With non-buggy kernel (e.g. 3.2.0-72-generic) the output is: root@atlas:/tmp# echo "lalal" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" produces the following output: Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c03e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change" Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp" Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825): [Fix] commit 4a92843601ad0f5067f441d2f0dca55bbe18c076 Author: Paul Moore Date: Mon Dec 22 12:27:39 2014 -0500 audit: correctly record file names with different path name types There is a problem with the audit system when multiple audit records are created for the same path, each with a different path name type. The root cause of the problem is in __audit_inode() when an exact match (both the path name and path name type) is not found for a path name record; the existing code creates a new path name record, but it never sets the path name in this record, leaving it NULL. This patch corrects this problem by assigning the path name to these newly created records. There are many ways to reproduce this problem, but one of the easiest is the following (assuming auditd is running): # mkdir /root/tmp/test # touch /root/tmp/test/567 # auditctl -a always,exit -F dir=/root/tmp/test # touch /root/tmp/test/567 Afterwards, or while the commands above are running, check the audit log and pay special attention to the PATH records. A faulty kernel will display something like the following for the file creation: type=SYSCALL msg=audit(1416957442.025:93): arch=c03e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr/bin/touch" type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp" type=PATH msg=audit(1416957442.025:93): item=0 name="test/" inode=401409 ... nametype=PARENT type=PATH msg=audit(1416957442.025:93): item=1 name=(null) inode=393804 ... nametype=NORMAL type=PATH msg=audit(1416957442.025:93): item=2 name=(null) inode=393804 ... nametype=NORMAL While a patched kernel will show the following: type=SYSCALL msg=audit(1416955786.566:89): arch=c03e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr/bin/
[Kernel-packages] [Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- utopic' to 'verification-done-utopic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1439441 Title: Kernel provides incomplete audit information when an existing monitored file is modified Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: [Impact] The audit system cannot identify the correct path of the monitored file. The trusty kernel and utopic kernel both suffer the bug. root@node-7:~# echo "lalala" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" results in the following auditd entry: <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c03e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=73cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229): the file modified is referenced only by inode : 1582123 With non-buggy kernel (e.g. 3.2.0-72-generic) the output is: root@atlas:/tmp# echo "lalal" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" produces the following output: Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c03e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change" Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp" Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825): [Fix] commit 4a92843601ad0f5067f441d2f0dca55bbe18c076 Author: Paul Moore Date: Mon Dec 22 12:27:39 2014 -0500 audit: correctly record file names with different path name types There is a problem with the audit system when multiple audit records are created for the same path, each with a different path name type. The root cause of the problem is in __audit_inode() when an exact match (both the path name and path name type) is not found for a path name record; the existing code creates a new path name record, but it never sets the path name in this record, leaving it NULL. This patch corrects this problem by assigning the path name to these newly created records. There are many ways to reproduce this problem, but one of the easiest is the following (assuming auditd is running): # mkdir /root/tmp/test # touch /root/tmp/test/567 # auditctl -a always,exit -F dir=/root/tmp/test # touch /root/tmp/test/567 Afterwards, or while the commands above are running, check the audit log and pay special attention to the PATH records. A faulty kernel will display something like the following for the file creation: type=SYSCALL msg=audit(1416957442.025:93): arch=c03e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr/bin/touch" type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp" type=PATH msg=audit(1416957442.025:93): item=0 name="test/" inode=401409 ... nametype=PARENT type
[Kernel-packages] [Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- trusty' to 'verification-done-trusty'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-trusty ** Tags added: verification-needed-utopic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1439441 Title: Kernel provides incomplete audit information when an existing monitored file is modified Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: [Impact] The audit system cannot identify the correct path of the monitored file. The trusty kernel and utopic kernel both suffer the bug. root@node-7:~# echo "lalala" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" results in the following auditd entry: <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c03e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=73cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229): the file modified is referenced only by inode : 1582123 With non-buggy kernel (e.g. 3.2.0-72-generic) the output is: root@atlas:/tmp# echo "lalal" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" produces the following output: Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c03e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change" Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp" Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825): [Fix] commit 4a92843601ad0f5067f441d2f0dca55bbe18c076 Author: Paul Moore Date: Mon Dec 22 12:27:39 2014 -0500 audit: correctly record file names with different path name types There is a problem with the audit system when multiple audit records are created for the same path, each with a different path name type. The root cause of the problem is in __audit_inode() when an exact match (both the path name and path name type) is not found for a path name record; the existing code creates a new path name record, but it never sets the path name in this record, leaving it NULL. This patch corrects this problem by assigning the path name to these newly created records. There are many ways to reproduce this problem, but one of the easiest is the following (assuming auditd is running): # mkdir /root/tmp/test # touch /root/tmp/test/567 # auditctl -a always,exit -F dir=/root/tmp/test # touch /root/tmp/test/567 Afterwards, or while the commands above are running, check the audit log and pay special attention to the PATH records. A faulty kernel will display something like the following for the file creation: type=SYSCALL msg=audit(1416957442.025:93): arch=c03e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr/bin/touch" type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp" type=PATH msg=audit(14169574
[Kernel-packages] [Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
** Changed in: linux (Ubuntu Trusty) Status: New => Fix Committed ** Changed in: linux (Ubuntu Utopic) Status: New => Fix Committed ** Also affects: linux (Ubuntu Vivid) Importance: Undecided Assignee: Gavin Guo (mimi0213kimo) Status: Incomplete ** Changed in: linux (Ubuntu Vivid) Status: Incomplete => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1439441 Title: Kernel provides incomplete audit information when an existing monitored file is modified Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in linux source package in Utopic: Fix Committed Status in linux source package in Vivid: Fix Released Bug description: [Impact] The audit system cannot identify the correct path of the monitored file. The trusty kernel and utopic kernel both suffer the bug. root@node-7:~# echo "lalala" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" results in the following auditd entry: <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c03e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=73cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229): the file modified is referenced only by inode : 1582123 With non-buggy kernel (e.g. 3.2.0-72-generic) the output is: root@atlas:/tmp# echo "lalal" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" produces the following output: Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c03e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change" Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp" Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825): [Fix] commit 4a92843601ad0f5067f441d2f0dca55bbe18c076 Author: Paul Moore Date: Mon Dec 22 12:27:39 2014 -0500 audit: correctly record file names with different path name types There is a problem with the audit system when multiple audit records are created for the same path, each with a different path name type. The root cause of the problem is in __audit_inode() when an exact match (both the path name and path name type) is not found for a path name record; the existing code creates a new path name record, but it never sets the path name in this record, leaving it NULL. This patch corrects this problem by assigning the path name to these newly created records. There are many ways to reproduce this problem, but one of the easiest is the following (assuming auditd is running): # mkdir /root/tmp/test # touch /root/tmp/test/567 # auditctl -a always,exit -F dir=/root/tmp/test # touch /root/tmp/test/567 Afterwards, or while the commands above are running, check the audit log and pay special attention to the PATH records. A faulty kernel will display something like the following for the file creation: type=SYSCALL msg=audit(1416957442.025:93): arch=c03e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr/bin/touch" type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp" type=PATH msg=audit(1416957442.025:93): item=0 name="test/" inode=401409 ... nametype=PARENT type=PATH msg=audit(1416957442.025:93): item=1 name=(null) inode=393804 ... nametype=NORMAL type=PATH msg=audit(1416957442.02
[Kernel-packages] [Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
Test of the following kernel fail: linux-image-3.13.0-031300-generic_3.13.0-031300.201401192235_amd64.deb linux-image-3.13.0-24-generic linux-image-3.13.0-46-generic linux-image-3.15.0-031500-generic_3.15.0-031500.201406131105_amd64.deb linux-image-3.17.0-031700-generic_3.17.0-031700.201410060605_amd64.deb linux-image-3.18.0-031800-generic_3.18.0-031800.201412071935_amd64.deb linux-image-3.18.9-031809-generic_3.18.9-031809.201503080036_amd64.deb Success: linux-image-3.2.0-23-generic linux-image-3.2.0-79-virtual linux-image-3.19.0-031900rc2-generic_3.19.0-031900rc2.201412290135_amd64.deb linux-image-3.19.0-031900rc4-generic_3.19.0-031900rc4.201501112135_amd64.deb linux-image-3.19.0-031900-generic_3.19.0-031900.201502091451_amd64.deb linux-image-4.0.0-04rc6-generic_4.0.0-04rc6.201503291935_amd64.deb Bisect process: linux-image-3.13.0-031300-generic_3.13.0-031300.201401192235_amd64.deb - fail linux-image-3.13.0-24-generic - fail linux-image-3.13.0-46-generic - fail linux-image-3.15.0-031500-generic_3.15.0-031500.201406131105_amd64.deb - fail linux-image-3.17.0-031700-generic_3.17.0-031700.201410060605_amd64.deb - fail linux-image-3.18.0-031800-generic_3.18.0-031800.201412071935_amd64.deb - fail linux-image-3.18.9-031809-generic_3.18.9-031809.201503080036_amd64.deb - fail linux-image-3.19.0-031900rc1-generic_3.19.0-031900rc1.201412210135_amd64.deb - fail linux-image-3.19.0-031900rc2-generic_3.19.0-031900rc2.201412290135_amd64.deb - success linux-image-3.19.0-031900rc4-generic_3.19.0-031900rc4.201501112135_amd64.deb - success linux-image-3.19.0-031900-generic_3.19.0-031900.201502091451_amd64.deb - success linux-image-4.0.0-04rc6-generic_4.0.0-04rc6.201503291935_amd64.deb - success Tue Mar 31 17:58:38 gavin@gavin-w530:~/os/work_kernel$ git log --pretty=oneline v3.19-rc1..v3.19-rc2 kernel/audit* 66b3f4f0a0fcc197a1e432c3d2134f5c6a5275b9 Merge branch 'upstream' of git://git.infradead.org/users/pcm 041d7b98ffe59c59fdd639931dea7d74f9aa9a59 audit: restore AUDIT_LOGINUID unset ABI 4a92843601ad0f5067f441d2f0dca55bbe18c076 audit: correctly record file names with different path name 54dc77d974a50147d6639dac6f59cb2c29207161 audit: use supplied gfp_mask from audit_buffer in kauditd_se 3640dcfa4fd00cd91d88bb86250bdb496f7070c0 audit: don't attempt to lookup PIDs when changing PID filter solution: commit 4a92843601ad0f5067f441d2f0dca55bbe18c076 Author: Paul Moore Date: Mon Dec 22 12:27:39 2014 -0500 audit: correctly record file names with different path name types -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1439441 Title: Kernel provides incomplete audit information when an existing monitored file is modified Status in linux package in Ubuntu: Incomplete Status in linux source package in Trusty: New Status in linux source package in Utopic: New Bug description: [Impact] The audit system cannot identify the correct path of the monitored file. The trusty kernel and utopic kernel both suffer the bug. root@node-7:~# echo "lalala" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" results in the following auditd entry: <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c03e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=73cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229): the file modified is referenced only by inode : 1582123 With non-buggy kernel (e.g. 3.2.0-72-generic) the output is: root@atlas:/tmp# echo "lalal" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" produces the following output: Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c03e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change" Jan 15 11:40:36 localh
[Kernel-packages] [Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Utopic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1439441 Title: Kernel provides incomplete audit information when an existing monitored file is modified Status in linux package in Ubuntu: Incomplete Status in linux source package in Trusty: New Status in linux source package in Utopic: New Bug description: [Impact] The audit system cannot identify the correct path of the monitored file. The trusty kernel and utopic kernel both suffer the bug. root@node-7:~# echo "lalala" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" results in the following auditd entry: <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c03e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=73cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root" <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229): the file modified is referenced only by inode : 1582123 With non-buggy kernel (e.g. 3.2.0-72-generic) the output is: root@atlas:/tmp# echo "lalal" >> /etc/testfile "sudo tail -f /var/log/audit/audit.log" produces the following output: Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c03e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change" Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp" Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825): [Fix] commit 4a92843601ad0f5067f441d2f0dca55bbe18c076 Author: Paul Moore Date: Mon Dec 22 12:27:39 2014 -0500 audit: correctly record file names with different path name types There is a problem with the audit system when multiple audit records are created for the same path, each with a different path name type. The root cause of the problem is in __audit_inode() when an exact match (both the path name and path name type) is not found for a path name record; the existing code creates a new path name record, but it never sets the path name in this record, leaving it NULL. This patch corrects this problem by assigning the path name to these newly created records. There are many ways to reproduce this problem, but one of the easiest is the following (assuming auditd is running): # mkdir /root/tmp/test # touch /root/tmp/test/567 # auditctl -a always,exit -F dir=/root/tmp/test # touch /root/tmp/test/567 Afterwards, or while the commands above are running, check the audit log and pay special attention to the PATH records. A faulty kernel will display something like the following for the file creation: type=SYSCALL msg=audit(1416957442.025:93): arch=c03e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr/bin/touch" type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp" type=PATH msg=audit(1416957442.025:93): item=0 name="test/" inode=401409 ... nametype=PARENT type=PATH msg=audit(1416957442.025:93): item=1 name=(null) inode=393804 ... nametype=NORMAL type=PATH msg=audit(1416957442.025:93): item=2 name=(null) inode=393804 ... nametype=NORMAL While a patched kernel will show the following: type=SYSCALL msg=audit(1416955786.566:89): arch=c03e syscall=2 success=yes exit=3 ... comm="touch" exe="/usr