RHEL-7 and implementing audit rules
warron.french
warron.french at gmail.com
Tue Aug 23 17:32:48 UTC 2016
Hi, I am back again.
I have some experience and a great deal more comfort with the Linux Audit
configurations nowadays. I learned an aweful lot by working with CentOS-6;
however, this question is focused purely on RHEL-7.
In RHEL-6, audit rules were added directly to */etc/audit/audit.rules*, but
it seems that it is a requirement in RHEL-7 to be placed directly in a file
(any file?) within
*/etc/audit/rules.d/.*
I discovered this by doing some man-page reading of the audit.rules file
after my RHEL-6-variant understanding was turned on its ear. So, I created
an */etc/audit/rules.d/audit.rules* and added my rules in there.
I ensured that I set "-e 1" because the value wasn't already set. I added
a watch rules (-w) and it at first didn't take effect; so then realized, "*this
is RHEL-7, I have to use **systemctl* to restart services."
That also didn't work. I tested with auditctl -l and looked for my new
rules (only 2 of them); so a reboot was committed for something else by a
coworker, and then the *auditctl -l* command actually did display updated
rules. This is very confusing, but I thought nothing more about it,
figuring it is a flaw somewhere.
Anyway, today I added an action rule (-a/Syscall Rule) and it too has not
taken effect; not after a *service auditd restart*, not after a *systemctl
restart auditd.service*, just nothing. I also recently read in a community
post, today, that systemctl doesn't handle the restart of auditd very well
(the comment came from you Mr. Grubb).
I cannot reboot the server yet, and quite frankly I don't want to be forced
to reboot the server everytime I add a rule - it's a lab, not production.
Can someone please tell me what I am doing so wrong, with respect to
handling audit configurations on a RHEL-7 system, and tell me how to work
the processes correctly?
Thanks,
--------------------------
Warron French
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160823/e864495a/attachment.htm>
More information about the Linux-audit
mailing list