EXTERNAL: Re: Issues with auditd kernel panic and nfs mounts

Peter Moody pmoody at google.com
Fri Jul 13 17:58:52 UTC 2012 

On Fri, Jul 13, 2012 at 10:52 AM, Vaughn, Chad M <chad.m.vaughn at lmco.com> wrote:
> Yes, I also have watch rules for files in /etc and those do not seem to be a problem.

How are you verifying that they're not a problem? Does repeatedly
loading and unloading audit rules trigger it?

eg, while [ 1 -eq 1 ] ; do /etc/init.d/audtid start && sleep 5 &&
/etc/init.d/auditd stop ; done usually triggered it within a few
minutes


> Such as:
>
> -w /etc/sudoers -p rwxa -k sro
>
> -----Original Message-----
> From: Peter Moody [mailto:pmoody at google.com]
> Sent: Friday, July 13, 2012 12:47 PM
> To: Vaughn, Chad M
> Cc: linux-audit at redhat.com
> Subject: EXTERNAL: Re: Issues with auditd kernel panic and nfs mounts
>
> On Fri, Jul 13, 2012 at 10:35 AM, Vaughn, Chad M <chad.m.vaughn at lmco.com> wrote:
>> Has anybody had any issues with auditd causing a panic upon restart or
>> shutdown?  We are using Redhat 5.4 with base auditd. We have diskless
>> clients, thus the /etc and /var are being served from an NFS server.
>> The following rules cause the system to panic when we try to /etc/init.d/auditd
>> restart or just shut the system down.   We have hundreds of other Redhat
>> clients with local disks and have not had any problems with these
>> rules until we tried diskless and NFS.
>>
>>
>>
>> We can comment out the rules listed below and then no problem, but we
>> want to watch /etc and /var. I assume it's something to do with NFS
>> but can't track it down.  Any ideas? Thanks.
>>
>
> There was an issue with watch rules. Eric had a patch back in April that I thought was supposed to land upstream for 3.5 but I don't see it on git.kernel.org.
>
> I'm not sure if this would be affecting you since I think the -F dir= are tree rules rather than watch rules. Do you have any actual watch rules installed?
>
>>
>> Example of rules entries that are expected to be causing issues:
>>
>>
>>
>> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100
>> -F
>> auid!=4294967295 -F dir=/etc -k sro
>>
>> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100
>> -F
>> auid!=4294967295 -F dir=/var -k sro
>>
>>
>>
>> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
>> auid>=100 -F auid!=4294967295 -F dir=/etc -k sro
>>
>> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
>> auid>=100 -F auid!=4294967295 -F dir=/var -k sro
>>
>>
>>
>>
>>
>> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
>> removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F
>> auid!=4294967295 -F dir=/etc -k sro
>>
>> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
>> removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F
>> auid!=4294967295 -F dir=/var -k sro
>>
>>
>>
>>
>>
>> --
>>
>> Regards,
>>
>> Chad Vaughn
>>
>> chad.m.vaughn at lmco.com
>>
>>
>>
>>
>> --
>> Linux-audit mailing list
>> Linux-audit at redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
> --
> Peter Moody      Google    1.650.253.7306
> Security Engineer  pgp:0xC3410038



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the Linux-audit mailing list