Issues with auditd kernel panic and nfs mounts

Peter Moody pmoody at google.com
Fri Jul 13 17:46:54 UTC 2012 

On Fri, Jul 13, 2012 at 10:35 AM, Vaughn, Chad M <chad.m.vaughn at lmco.com> wrote:
> Has anybody had any issues with auditd causing a panic upon restart or
> shutdown?  We are using Redhat 5.4 with base auditd. We have diskless
> clients, thus the /etc and /var are being served from an NFS server. The
> following rules cause the system to panic when we try to /etc/init.d/auditd
> restart or just shut the system down.   We have hundreds of other Redhat
> clients with local disks and have not had any problems with these rules
> until we tried diskless and NFS.
>
>
>
> We can comment out the rules listed below and then no problem, but we want
> to watch /etc and /var. I assume it’s something to do with NFS but can’t
> track it down.  Any ideas? Thanks.
>

There was an issue with watch rules. Eric had a patch back in April
that I thought was supposed to land upstream for 3.5 but I don't see
it on git.kernel.org.

I'm not sure if this would be affecting you since I think the -F dir=
are tree rules rather than watch rules. Do you have any actual watch
rules installed?

>
> Example of rules entries that are expected to be causing issues:
>
>
>
> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 -F
> auid!=4294967295 -F dir=/etc -k sro
>
> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 -F
> auid!=4294967295 -F dir=/var -k sro
>
>
>
> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=100 -F auid!=4294967295 -F dir=/etc -k sro
>
> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=100 -F auid!=4294967295 -F dir=/var -k sro
>
>
>
>
>
> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F auid!=4294967295
> -F dir=/etc -k sro
>
> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F auid!=4294967295
> -F dir=/var -k sro
>
>
>
>
>
> --
>
> Regards,
>
> Chad Vaughn
>
> chad.m.vaughn at lmco.com
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the Linux-audit mailing list