EXTERNAL: Re: Issues with auditd kernel panic and nfs mounts

Vaughn, Chad M chad.m.vaughn at lmco.com
Fri Jul 13 17:52:16 UTC 2012 

Yes, I also have watch rules for files in /etc and those do not seem to be a problem.

Such as:

-w /etc/sudoers -p rwxa -k sro

-----Original Message-----
From: Peter Moody [mailto:pmoody at google.com] 
Sent: Friday, July 13, 2012 12:47 PM
To: Vaughn, Chad M
Cc: linux-audit at redhat.com
Subject: EXTERNAL: Re: Issues with auditd kernel panic and nfs mounts

On Fri, Jul 13, 2012 at 10:35 AM, Vaughn, Chad M <chad.m.vaughn at lmco.com> wrote:
> Has anybody had any issues with auditd causing a panic upon restart or 
> shutdown?  We are using Redhat 5.4 with base auditd. We have diskless 
> clients, thus the /etc and /var are being served from an NFS server. 
> The following rules cause the system to panic when we try to /etc/init.d/auditd
> restart or just shut the system down.   We have hundreds of other Redhat
> clients with local disks and have not had any problems with these 
> rules until we tried diskless and NFS.
>
>
>
> We can comment out the rules listed below and then no problem, but we 
> want to watch /etc and /var. I assume it's something to do with NFS 
> but can't track it down.  Any ideas? Thanks.
>

There was an issue with watch rules. Eric had a patch back in April that I thought was supposed to land upstream for 3.5 but I don't see it on git.kernel.org.

I'm not sure if this would be affecting you since I think the -F dir= are tree rules rather than watch rules. Do you have any actual watch rules installed?

>
> Example of rules entries that are expected to be causing issues:
>
>
>
> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 
> -F
> auid!=4294967295 -F dir=/etc -k sro
>
> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 
> -F
> auid!=4294967295 -F dir=/var -k sro
>
>
>
> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=100 -F auid!=4294967295 -F dir=/etc -k sro
>
> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=100 -F auid!=4294967295 -F dir=/var -k sro
>
>
>
>
>
> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S 
> removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F 
> auid!=4294967295 -F dir=/etc -k sro
>
> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S 
> removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F 
> auid!=4294967295 -F dir=/var -k sro
>
>
>
>
>
> --
>
> Regards,
>
> Chad Vaughn
>
> chad.m.vaughn at lmco.com
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the Linux-audit mailing list