On Fri, Jul 13, 2012 at 10:52 AM, Vaughn, Chad M <chad.m.vaughn(a)lmco.com> wrote:
Yes, I also have watch rules for files in /etc and those do not seem
to be a problem.
How are you verifying that they're not a problem? Does repeatedly
loading and unloading audit rules trigger it?
eg, while [ 1 -eq 1 ] ; do /etc/init.d/audtid start && sleep 5 &&
/etc/init.d/auditd stop ; done usually triggered it within a few
minutes
Such as:
-w /etc/sudoers -p rwxa -k sro
-----Original Message-----
From: Peter Moody [mailto:pmoody@google.com]
Sent: Friday, July 13, 2012 12:47 PM
To: Vaughn, Chad M
Cc: linux-audit(a)redhat.com
Subject: EXTERNAL: Re: Issues with auditd kernel panic and nfs mounts
On Fri, Jul 13, 2012 at 10:35 AM, Vaughn, Chad M <chad.m.vaughn(a)lmco.com> wrote:
> Has anybody had any issues with auditd causing a panic upon restart or
> shutdown? We are using Redhat 5.4 with base auditd. We have diskless
> clients, thus the /etc and /var are being served from an NFS server.
> The following rules cause the system to panic when we try to /etc/init.d/auditd
> restart or just shut the system down. We have hundreds of other Redhat
> clients with local disks and have not had any problems with these
> rules until we tried diskless and NFS.
>
>
>
> We can comment out the rules listed below and then no problem, but we
> want to watch /etc and /var. I assume it's something to do with NFS
> but can't track it down. Any ideas? Thanks.
>
There was an issue with watch rules. Eric had a patch back in April that I thought was
supposed to land upstream for 3.5 but I don't see it on
git.kernel.org.
I'm not sure if this would be affecting you since I think the -F dir= are tree rules
rather than watch rules. Do you have any actual watch rules installed?
>
> Example of rules entries that are expected to be causing issues:
>
>
>
> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100
> -F
> auid!=4294967295 -F dir=/etc -k sro
>
> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100
> -F
> auid!=4294967295 -F dir=/var -k sro
>
>
>
> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=100 -F auid!=4294967295 -F dir=/etc -k sro
>
> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=100 -F auid!=4294967295 -F dir=/var -k sro
>
>
>
>
>
> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F
> auid!=4294967295 -F dir=/etc -k sro
>
> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F
> auid!=4294967295 -F dir=/var -k sro
>
>
>
>
>
> --
>
> Regards,
>
> Chad Vaughn
>
> chad.m.vaughn(a)lmco.com
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038