Regarding Auditing on RHEL7.1

Sarthak Jain Sarthak.Jain at microfocus.com
Wed Feb 24 14:32:56 UTC 2016 

Hi,

There has been one issue I am facing with auditing on RHEL 7.1. It is the same one as described here - 
https://www.redhat.com/archives/linux-audit/2015-January/msg00045.html

https://bugzilla.redhat.com/show_bug.cgi?id=1155208

Can you please comment on this whether it has been fixed or not? 

Thanks
-----Original Message-----
From: Richard Guy Briggs [mailto:rgb at redhat.com] 
Sent: Wednesday, February 24, 2016 7:59 PM
To: Sarthak Jain <Sarthak.Jain at microfocus.com>
Subject: Re: Regarding Auditing on RHEL7.1

On 16/02/24, Sarthak Jain wrote:
> Thank you Richard for replying and giving the proper contact. But you 
> know in meanwhile, I came across this known bug -
> 
> https://www.redhat.com/archives/linux-audit/2015-January/msg00045.html
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1155208
> 
> Can you tell me whether it is under progress or it has been fixed? 

You are welcome to ask on the list and Cc: me if you want my attention.
Please keep this public unless you have a service contract.

> Thanks
> -----Original Message-----
> From: Richard Guy Briggs [mailto:rgb at redhat.com]
> Sent: Wednesday, February 24, 2016 1:13 PM
> To: Sarthak Jain <Sarthak.Jain at microfocus.com>
> Subject: Re: Regarding Auditing on RHEL7.1
> 
> On 16/02/24, Sarthak Jain wrote:
> > Hi Richard,
> 
> Hi Sarthak,
> 
> > I am Sarthak Jain working in MicroFocus. I want your small help to 
> > clarify one of my doubt regarding the kernel auditing on RHEL 7.1. I 
> > hope you are the right person to contact. It will just 2 min (max 
> > :P) to go through the problem.
> 
> For general audit-related questions, please use the linux-audit at redhat.com mailing list.  For RHEL support questions, please contact your Red Hat service contract manager.
> 
> > Assumption: Ideally, if we change the configuration file (for ex- /etc/hosts), we should be getting audit events for it.
> > 
> > Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). If we modify this file, then audit events are coming as attached in file - 'file1.txt'.
> > 
> > Problem: Let say if we change the permissions of the '/etc/hosts' to (rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" event at all. I have attached the file - 'file2.txt' for your reference. Can you please clarify this ? Is it a kernel level bug?
> > 
> > I would be greatly thankful to you if you could please comment on this.
> > 
> > Thanks.
> > 
> > 
> 
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=CONFIG_CHANGE msg=audit(1456296260.392:3012733752): auid=0
> > ses=612921 op="updated rules" path="/etc/hosts" key=(null) list=4
> > res=1
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=PATH msg=audit(1456296260.392:3012733753): item=3 
> > name="/etc/hosts~" inode=133015 dev=fd:01 mode=0100700 ouid=0 ogid=0
> > rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=CREATE 
> > type=PATH msg=audit(1456296260.392:3012733753): item=2 
> > name="/etc/hosts" inode=133015 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=DELETE type=PATH msg=audit(1456296260.392:3012733753): item=1 name="/etc/" inode=130309 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT type=PATH msg=audit(1456296260.392:3012733753): item=0 name="/etc/" inode=130309 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT type=CWD msg=audit(1456296260.392:3012733753):  cwd="/root"
> > type=SYSCALL msg=audit(1456296260.392:3012733753): arch=c000003e
> > syscall=82 success=yes exit=0 a0=1d5c730 a1=1d82ab0
> > a2=fffffffffffffea0 a3=7fffcc152380 items=4 ppid=7009 pid=7575 
> > auid=0
> > uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
> > ses=612921 comm="vi" exe="/usr/bin/vi" 
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> > key=(null)
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=CONFIG_CHANGE msg=audit(1456296260.393:3012733754): auid=0
> > ses=612921 op="updated rules" path="/etc/hosts" key=(null) list=4
> > res=1
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=PATH msg=audit(1456296260.393:3012733755): item=1 
> > name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0
> > rdev=00:00 obj=unconfined_u:object_r:net_conf_t:s0 objtype=CREATE type=PATH msg=audit(1456296260.393:3012733755): item=0 name="/etc/" inode=130309 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT type=CWD msg=audit(1456296260.393:3012733755):  cwd="/root"
> > type=SYSCALL msg=audit(1456296260.393:3012733755): arch=c000003e
> > syscall=2 success=yes exit=3 a0=1d5c730 a1=241 a2=1c0 a3=0 items=2
> > ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" 
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> > key=(null)
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=PATH msg=audit(1456296260.413:3012733759): item=0 
> > name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(1456296260.413:3012733759):  cwd="/root"
> > type=SYSCALL msg=audit(1456296260.413:3012733759): arch=c000003e
> > syscall=188 success=yes exit=0 a0=1d5c730 a1=7fc4923b877e a2=1d81fd0
> > a3=20 items=1 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" 
> > exe="/usr/bin/vi" 
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> > key=(null)
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=PATH msg=audit(1456296260.413:3012733761): item=0 
> > name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(1456296260.413:3012733761):  cwd="/root"
> > type=SYSCALL msg=audit(1456296260.413:3012733761): arch=c000003e
> > syscall=90 success=yes exit=0 a0=1d5c730 a1=81c0 a2=0 a3=20 items=1
> > ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" 
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> > key=(null)
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=PATH msg=audit(1456296260.414:3012733762): item=0 
> > name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(1456296260.414:3012733762):  cwd="/root"
> > type=SYSCALL msg=audit(1456296260.414:3012733762): arch=c000003e
> > syscall=188 success=yes exit=0 a0=1d5c730 a1=7fc491f71ddf a2=1d81c30 
> > a3=1c items=1 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" 
> > exe="/usr/bin/vi" 
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> > key=(null)
> 
> > ----
> > time->Wed Feb 24 00:45:55 2016
> > type=PATH msg=audit(1456296355.292:3012759691): item=0 
> > name="/etc/hosts~" inode=133015 dev=fd:01 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(1456296355.292:3012759691):  cwd="/root"
> > type=SYSCALL msg=audit(1456296355.292:3012759691): arch=c000003e syscall=132 success=yes exit=0 a0=2245a70 a1=7fffdf2b4390 a2=2000 a3=7fffdf2b4050 items=1 ppid=7009 pid=7704 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="9980284E037547A8A9364B62ACB360C6"
> > ----
> > time->Wed Feb 24 00:45:55 2016
> > type=PATH msg=audit(1456296355.303:3012759696): item=0 
> > name="/etc/hosts" inode=133022 dev=fd:01 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(1456296355.303:3012759696):  cwd="/root"
> > type=SYSCALL msg=audit(1456296355.303:3012759696): arch=c000003e
> > syscall=90 success=yes exit=0 a0=221f730 a1=81b6 a2=0 
> > a3=7fffdf2b4050
> > items=1 ppid=7009 pid=7704 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" 
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> > key=(null)
> 
> 
> - RGB
> 
> --
> Richard Guy Briggs <rbriggs at redhat.com> Senior Software Engineer, 
> Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, 
> Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: 
> +1.613.693.0684x3545

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list