Issue

Description of problem: It looks like auparse interpret.c code was changed to check the length of local socket paths and produce messaging regarding the socket length being too short starting in audit-3.0.7-2.el8.2. There are some 3rd party security applications that add audit rules that capture a lot of normal system events that have an empty local socket address. Particularly these rules added by mdatp in Azure environments: -a exit,always -F arch=b64 -F success=1 -S 43 -S 82 -S 84 -S 87 -S 263 -S 264 -S 288 -S 316 -k mdatp This audit rule produces a number of audits like these in relation to dbus. I also see some related to sssd on my test system and the customer's system. Running ausearch with -i provides the additional messaging in the saddr field: type=PROCTITLE msg=audit(07/21/2023 14:40:23.332:15299) : proctitle=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only type=SOCKADDR msg=audit(07/21/2023 14:40:23.332:15299) : saddr= { saddr_fam=local sockaddr len too short } type=SYSCALL msg=audit(07/21/2023 14:40:23.332:15299) : arch=x86_64 syscall=accept4 success=yes exit=6 a0=0x3 a1=0x7ffe18862640 a2=0x7ffe1886263c a3=0x80000 items=0 ppid=1 pid=877 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-daemon exe=/usr/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0-s0:c0 .c1023 key=mdatp They appear to be normal. And as I understand it, the vendor audit rule should probably be excluding the unset auid from these audit rules the mdatp service adds. In any case, with the updated auparse interpret logic, when running the aureport command, it results in output like this when these audit rules are configured: aureport Summary Report ====================== sun_path len too short sun_path len too short <snip> There can be quite of a few of them, a couple hundred on the customer's system in a particular audit log rotation. It can clutter up the aureport output. Is this something that we might want to add functionality for so that aureport can count up the instances of when this appears and then display it with the rest of the audit report data, just like: Number of short sockaddrs: X Or do we even want to see this information from aureport at all? Version-Release number of selected component (if applicable): audit-3.0.7-2.el8.2+ How reproducible: Always. Steps to Reproduce: 1. Configure this mdatp rule: -a exit,always -F arch=b64 -F success=1 -S 43 -S 82 -S 84 -S 87 -S 263 -S 264 -S 288 -S 316 -k mdatp 2. Reload the audit rules. 3. Let the system run idle for a bit with at least sssd running. Reboots generate the dbus audits. 4. Run the aureport command. Actual results: Lots of sun_path len too short messages at the top of the output. Expected results: Those occurrences counted up and tallied like the rest of the aureport data, or just ignored if we shouldn't really be concerned with these. Additional info: SFDC: 03553995

Release Notes

No. of Comments

Resolution

Done-Errata