RE: Regarding Auditing on RHEL7.1

Hi Paul, Well thanks for replying back. But as per my knowledge, RHEL 7 is still facing the issue. Even RHEL 7.1 also. Assumption : If we modify the configuration file (/etc/hosts), then audit log event will come. Scenario 1: If we modify the configuration file (/etc/hosts) when the permission is (rw-r--r--), then audit log event is coming properly as mentioned below - ------ type=SYSCALL msg=audit(1456467914.581:50455): arch=c000003e syscall=82 success=yes exit=0 a0=8db730 a1=903980 a2=fffffffffffffea0 a3=7fffe734aee0 items=4 ppid=27080 pid=29188 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6667 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1456467914.581:50455): cwd="/root" type=PATH msg=audit(1456467914.581:50455): item=0 name="/etc/" inode=67108993 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT type=PATH msg=audit(1456467914.581:50455): item=1 name="/etc/" inode=67108993 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT type=PATH msg=audit(1456467914.581:50455): item=2 name="/etc/hosts" inode=70206961 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=DELETE type=PATH msg=audit(1456467914.581:50455): item=3 name="/etc/hosts~" inode=70206961 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=CREATE -------- Scenario 2: Let's say if we modify the file when the permissions for file are (rw-rw-rw-), then audit log event is coming as mentioned below - ---------- type=SYSCALL msg=audit(1456466535.398:50437): arch=c000003e syscall=2 success=yes exit=3 a0=10d7730 a1=241 a2=1b6 a3=0 items=3 ppid=27080 pid=27328 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6667 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1456466535.398:50437): cwd="/root" type=PATH msg=audit(1456466535.398:50437): item=0 name="/etc/" inode=67108993 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT type=PATH msg=audit(1456466535.398:50437): item=1 name=(null) inode=70206961 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=PATH msg=audit(1456466535.398:50437): item=2 name=(null) inode=70206961 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL ----------- As you can see, in second scenario, the name is coming "null". As mentioned in the previous message, I think it is a kernel level bug. As I saw the conversation on this link - https://www.redhat.com/archives/linux-audit/2015-January/msg00016.html , I guess it has been targeted for kernel v3.19-rcX? Or if it has been fixed for RHEL 7, are there any patches which we need to apply? Thanks -----Original Message----- From: Paul Moore [mailto:paul@paul-moore.com] Sent: Friday, February 26, 2016 12:44 AM To: Sarthak Jain <Sarthak.Jain(a)microfocus.com&gt; Cc: linux-audit(a)redhat.com; Richard Guy Briggs <rgb(a)redhat.com&gt; Subject: Re: Regarding Auditing on RHEL7.1 On Wed, Feb 24, 2016 at 9:32 AM, Sarthak Jain <Sarthak.Jain(a)microfocus.com&gt; wrote: The issue has been fixed in upstream kernels as well as in RHEL-7. -- paul moore www.paul-moore.com