audit.rules not fully loading into memory according to auditctl -l

warron.french warron.french at gmail.com
Wed Apr 12 19:32:08 UTC 2017 

Watch (-w) rules not in memory:

[root at wfrench-rhel68s-001 audit]# grep -e "-w " audit.rules
-w /etc/group -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/localtime -p wa -k audit_time_rules
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
-w /etc/selinux/ -p wa -k MAC-policy
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/sudoers -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications

These files do all exist on the system.  I still don't understand what's
going on.



--------------------------
Warron French


On Wed, Apr 12, 2017 at 3:00 PM, warron.french <warron.french at gmail.com>
wrote:

> Yes, certainly.
>
> I had a 1.7GB messages file in /var/log; so I moved it manually out of the
> way.  Then I rebooted.
>
> After doing that, I didn't see anything at all about auditd in the new
> /var/log/messages.
>
> I have finally gotten it down to 13 audit rules, all still Action Rules
> only for some reason, that are not loading into memory from
> /etc/audit/audit.rules.
> Those action rules are using -F path= attributes.
>
> What is really interesting is that I have other action rules using -F
> path= that are getting into memory!
>
> These are the files that are not:
> /usr/libexec/kde4/kdesud
> /usr/libexec/openssh/ssh-keysign
> /usr/libexec/polkit-1/polkit-agent-helper-1
> /usr/libexec/pt_chown
> /usr/libexec/utempter/utempter
> /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
> /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
> /usr/sbin/lockdev
> /usr/sbin/postdrop
> /usr/sbin/postqueue
> /usr/sbin/suexec
> /usr/sbin/userhelper
> /usr/sbin/usernetctl
>
> I did the following to evaluate---
> for FIL in `cat audit_action_rules_File | grep -v "^#" | awk '{ print $4
> }' | cut -d= -f 2`; do
>    echo "Checking for ${FIL}."
>    if [ -f ${FIL} ]; then
>       echo "${FIL} is present."
>    else
>       echo "The file ${FIL} is not present."
>    fi
> done
>
> Checking for /usr/libexec/kde4/kdesud.
> *The file /usr/libexec/kde4/kdesud is not present.*
> Checking for /usr/libexec/openssh/ssh-keysign.
> /usr/libexec/openssh/ssh-keysign is present.
> Checking for /usr/libexec/polkit-1/polkit-agent-helper-1.
> /usr/libexec/polkit-1/polkit-agent-helper-1 is present.
> Checking for /usr/libexec/pt_chown.
> /usr/libexec/pt_chown is present.
> Checking for /usr/libexec/utempter/utempter.
> /usr/libexec/utempter/utempter is present.
> Checking for /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper.
> *The file /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper is not
> present.*
> Checking for /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper.
> *The file /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper is not
> present.*
> Checking for /usr/sbin/lockdev.
> /usr/sbin/lockdev is present.
> Checking for /usr/sbin/postdrop.
> /usr/sbin/postdrop is present.
> Checking for /usr/sbin/postqueue.
> /usr/sbin/postqueue is present.
> Checking for /usr/sbin/suexec.
> /usr/sbin/suexec is present.
> Checking for /usr/sbin/userhelper.
> /usr/sbin/userhelper is present.
> Checking for /usr/sbin/usernetctl.
> /usr/sbin/usernetctl is present.
>
> I am still missing all 15 Watch rules in memory.
>
>
> --------------------------
> Warron French
>
>
> On Wed, Apr 12, 2017 at 2:05 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>
>> On Wednesday, April 12, 2017 1:40:51 PM EDT warron.french wrote:
>> > Didn't know to check there.
>>
>> Shouldn't we keep the discussion on the mail list so others can learn
>> from it?
>>
>> -Steve
>>
>> > Also, I noticed something interesting after tracing through rules I
>> > captured from audit.rules (and sorting) and capturing rules from
>> auditctl
>> > (also sorting).
>> >
>> > Here are some things I observed:
>> >
>> >    1.  -a  -F path= <path/to/file> are not getting loaded at all.
>> >    2. -a -S call1 -S call2 -S call3 -S callN are being altered into a
>> >    relative format  of   -a -S call1,call2,call3,callN       (I was not
>> >    expecting this at all).
>> >
>> > I will look at the syslog output from auditctl in /var/log/messages
>> > (correct?).
>> >
>> >
>> >
>> > --------------------------
>> > Warron French
>> >
>> > On Wed, Apr 12, 2017 at 1:22 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>> > > On Wednesday, April 12, 2017 12:51:03 PM EDT warron.french wrote:
>> > > > Hello, I am writing a Puppet Module to deliver updates of
>> audit.rules
>> > > > and
>> > > > auditd.conf configurations to RHEL6 and RHEL7 machines.
>> > > >
>> > > > The files are laid down correctly for both RHEL6 and RHEL7 within
>> the
>> > > >
>> > > > appropriate directories:
>> > > >    - RHEL6 = /etc/audit/audit.rules, for
>> > > >    - RHEL7 = /etc/audit/rules.d/audit.rules
>> > > >
>> > > > Anyway, the results for all RHEL7 machines (client versus Server)
>> are
>> > > > perfect.  The audit.rules are all laid down as expected, and after a
>> > >
>> > > reboot
>> > >
>> > > > of the system the rules are all 100% in place - just as I need.
>> > > >
>> > > > The problem is when they are laid down on RHEL6 clients versus
>> Servers,
>> > >
>> > > the
>> > >
>> > > > behaviors are very different.
>> > > >
>> > > > For RHEL6 clients I have the following intentions and loaded into
>> > > > memory:
>> > > >
>> > > > 118 (-a) Action Rules in audit.rules file        118 Action Rules
>> are
>> > > > loaded into memory (YAY!)
>> > > >
>> > > > * 15 (-w) Watch Rules* in audit.rules file       *  15 Watch Rules
>> are
>> > > > loaded into memory* (YAY!)
>> > > >
>> > > > 133 Total Rules in audit.rules files              133 Total Rules
>> into
>> > > > memory (YAY!)
>> > > >
>> > > >
>> > > > For RHEL6 Server; however, I have the following results:
>> > > >
>> > > > 118 (-a) Action Rules in audit.rules file    105 Action Rules are
>> loaded
>> > > > into memory (FAIL)
>> > > >
>> > > > * 15 (-w) Watch Rules* in audit.rules file    *   0  Watch Rules are
>> > >
>> > > loaded
>> > >
>> > > > into memory* (HUGE FAIL)
>> > > >
>> > > > 133 Total Rules in audit.rules files           105 Total Rules into
>> > >
>> > > memory
>> > >
>> > > > (YAY!)
>> > > >
>> > > >
>> > > > This is really a big problem for me.  Can someone help?
>> > >
>> > > Was there anything in syslog from auditctl?
>> > >
>> > > When auditctl runs across a rule with syntax errors, the default
>> action is
>> > > to
>> > > log it and stop. This way it causes the most noticeable thing to
>> happen.
>> > > However, some people don't like this behavior so they pass a '-c'
>> option
>> > > near
>> > > the beginning of the rules. This causes it to keep processing but
>> > > ultimately
>> > > return an error at exit. Some people didn't like that auditctl
>> returned an
>> > > error, so the '-i' option was created for people that can't be
>> bothered
>> > > with
>> > > failure even in the face of failure.
>> > >
>> > > Check for a syntax error in the rules. It should be in syslog.
>> > >
>> > > -Steve
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170412/5bfd2bd4/attachment.htm>

More information about the Linux-audit mailing list