Regarding Auditing on RHEL7.1

Fri Feb 26 06:37:58 UTC 2016

Hi Paul,

Well thanks for replying back. But as per my knowledge, RHEL 7 is still facing the issue. Even RHEL 7.1 also.

Assumption : If we modify the configuration file (/etc/hosts), then audit log event will come.

Scenario 1: If we modify the configuration file (/etc/hosts) when the permission is (rw-r--r--), then audit log event is coming properly as mentioned below - 

------	
type=SYSCALL msg=audit(1456467914.581:50455): arch=c000003e syscall=82 success=yes exit=0 a0=8db730 a1=903980 a2=fffffffffffffea0 a3=7fffe734aee0 items=4 ppid=27080 pid=29188 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6667 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1456467914.581:50455):  cwd="/root"
type=PATH msg=audit(1456467914.581:50455): item=0 name="/etc/" inode=67108993 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=PATH msg=audit(1456467914.581:50455): item=1 name="/etc/" inode=67108993 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=PATH msg=audit(1456467914.581:50455): item=2 name="/etc/hosts" inode=70206961 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=DELETE
type=PATH msg=audit(1456467914.581:50455): item=3 name="/etc/hosts~" inode=70206961 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=CREATE
--------

Scenario 2: Let's say if we modify the file when the permissions for file are (rw-rw-rw-), then audit log event is coming as mentioned below - 

----------
type=SYSCALL msg=audit(1456466535.398:50437): arch=c000003e syscall=2 success=yes exit=3 a0=10d7730 a1=241 a2=1b6 a3=0 items=3 ppid=27080 pid=27328 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6667 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1456466535.398:50437):  cwd="/root"
type=PATH msg=audit(1456466535.398:50437): item=0 name="/etc/" inode=67108993 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=PATH msg=audit(1456466535.398:50437): item=1 name=(null) inode=70206961 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=PATH msg=audit(1456466535.398:50437): item=2 name=(null) inode=70206961 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
-----------

As you can see, in second scenario, the name is coming "null". As mentioned in the previous message, I think it is a kernel level bug. As I saw the conversation on this link - https://www.redhat.com/archives/linux-audit/2015-January/msg00016.html , I guess it has been targeted for kernel v3.19-rcX? Or if it has been fixed for RHEL 7, are there any patches which we need to apply? 

Thanks

-----Original Message-----
From: Paul Moore [mailto:paul at paul-moore.com] 
Sent: Friday, February 26, 2016 12:44 AM
To: Sarthak Jain <Sarthak.Jain at microfocus.com>
Cc: linux-audit at redhat.com; Richard Guy Briggs <rgb at redhat.com>
Subject: Re: Regarding Auditing on RHEL7.1

On Wed, Feb 24, 2016 at 9:32 AM, Sarthak Jain <Sarthak.Jain at microfocus.com> wrote:
> Hi,
>
> There has been one issue I am facing with auditing on RHEL 7.1. It is 
> the same one as described here - 
> https://www.redhat.com/archives/linux-audit/2015-January/msg00045.html
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1155208
>
> Can you please comment on this whether it has been fixed or not?

The issue has been fixed in upstream kernels as well as in RHEL-7.

--
paul moore
www.paul-moore.com