Watch (-w) rules not in memory:
[root@wfrench-rhel68s-001 audit]# grep -e "-w " audit.rules
-w /etc/group -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/localtime -p wa -k audit_time_rules
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
-w /etc/selinux/ -p wa -k MAC-policy
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/sudoers -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications
These files do all exist on the system. I still don't understand what's
going on.
--------------------------
Warron French
On Wed, Apr 12, 2017 at 3:00 PM, warron.french <warron.french(a)gmail.com>
wrote:
Yes, certainly.
I had a 1.7GB messages file in /var/log; so I moved it manually out of the
way. Then I rebooted.
After doing that, I didn't see anything at all about auditd in the new
/var/log/messages.
I have finally gotten it down to 13 audit rules, all still Action Rules
only for some reason, that are not loading into memory from
/etc/audit/audit.rules.
Those action rules are using -F path= attributes.
What is really interesting is that I have other action rules using -F
path= that are getting into memory!
These are the files that are not:
/usr/libexec/kde4/kdesud
/usr/libexec/openssh/ssh-keysign
/usr/libexec/polkit-1/polkit-agent-helper-1
/usr/libexec/pt_chown
/usr/libexec/utempter/utempter
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/sbin/lockdev
/usr/sbin/postdrop
/usr/sbin/postqueue
/usr/sbin/suexec
/usr/sbin/userhelper
/usr/sbin/usernetctl
I did the following to evaluate---
for FIL in `cat audit_action_rules_File | grep -v "^#" | awk '{ print $4
}' | cut -d= -f 2`; do
echo "Checking for ${FIL}."
if [ -f ${FIL} ]; then
echo "${FIL} is present."
else
echo "The file ${FIL} is not present."
fi
done
Checking for /usr/libexec/kde4/kdesud.
*The file /usr/libexec/kde4/kdesud is not present.*
Checking for /usr/libexec/openssh/ssh-keysign.
/usr/libexec/openssh/ssh-keysign is present.
Checking for /usr/libexec/polkit-1/polkit-agent-helper-1.
/usr/libexec/polkit-1/polkit-agent-helper-1 is present.
Checking for /usr/libexec/pt_chown.
/usr/libexec/pt_chown is present.
Checking for /usr/libexec/utempter/utempter.
/usr/libexec/utempter/utempter is present.
Checking for /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper.
*The file /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper is not
present.*
Checking for /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper.
*The file /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper is not
present.*
Checking for /usr/sbin/lockdev.
/usr/sbin/lockdev is present.
Checking for /usr/sbin/postdrop.
/usr/sbin/postdrop is present.
Checking for /usr/sbin/postqueue.
/usr/sbin/postqueue is present.
Checking for /usr/sbin/suexec.
/usr/sbin/suexec is present.
Checking for /usr/sbin/userhelper.
/usr/sbin/userhelper is present.
Checking for /usr/sbin/usernetctl.
/usr/sbin/usernetctl is present.
I am still missing all 15 Watch rules in memory.
--------------------------
Warron French
On Wed, Apr 12, 2017 at 2:05 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> On Wednesday, April 12, 2017 1:40:51 PM EDT warron.french wrote:
> > Didn't know to check there.
>
> Shouldn't we keep the discussion on the mail list so others can learn
> from it?
>
> -Steve
>
> > Also, I noticed something interesting after tracing through rules I
> > captured from audit.rules (and sorting) and capturing rules from
> auditctl
> > (also sorting).
> >
> > Here are some things I observed:
> >
> > 1. -a -F path= <path/to/file> are not getting loaded at all.
> > 2. -a -S call1 -S call2 -S call3 -S callN are being altered into a
> > relative format of -a -S call1,call2,call3,callN (I was not
> > expecting this at all).
> >
> > I will look at the syslog output from auditctl in /var/log/messages
> > (correct?).
> >
> >
> >
> > --------------------------
> > Warron French
> >
> > On Wed, Apr 12, 2017 at 1:22 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> > > On Wednesday, April 12, 2017 12:51:03 PM EDT warron.french wrote:
> > > > Hello, I am writing a Puppet Module to deliver updates of
> audit.rules
> > > > and
> > > > auditd.conf configurations to RHEL6 and RHEL7 machines.
> > > >
> > > > The files are laid down correctly for both RHEL6 and RHEL7 within
> the
> > > >
> > > > appropriate directories:
> > > > - RHEL6 = /etc/audit/audit.rules, for
> > > > - RHEL7 = /etc/audit/rules.d/audit.rules
> > > >
> > > > Anyway, the results for all RHEL7 machines (client versus Server)
> are
> > > > perfect. The audit.rules are all laid down as expected, and after a
> > >
> > > reboot
> > >
> > > > of the system the rules are all 100% in place - just as I need.
> > > >
> > > > The problem is when they are laid down on RHEL6 clients versus
> Servers,
> > >
> > > the
> > >
> > > > behaviors are very different.
> > > >
> > > > For RHEL6 clients I have the following intentions and loaded into
> > > > memory:
> > > >
> > > > 118 (-a) Action Rules in audit.rules file 118 Action Rules
> are
> > > > loaded into memory (YAY!)
> > > >
> > > > * 15 (-w) Watch Rules* in audit.rules file * 15 Watch Rules
> are
> > > > loaded into memory* (YAY!)
> > > >
> > > > 133 Total Rules in audit.rules files 133 Total Rules
> into
> > > > memory (YAY!)
> > > >
> > > >
> > > > For RHEL6 Server; however, I have the following results:
> > > >
> > > > 118 (-a) Action Rules in audit.rules file 105 Action Rules are
> loaded
> > > > into memory (FAIL)
> > > >
> > > > * 15 (-w) Watch Rules* in audit.rules file * 0 Watch Rules are
> > >
> > > loaded
> > >
> > > > into memory* (HUGE FAIL)
> > > >
> > > > 133 Total Rules in audit.rules files 105 Total Rules into
> > >
> > > memory
> > >
> > > > (YAY!)
> > > >
> > > >
> > > > This is really a big problem for me. Can someone help?
> > >
> > > Was there anything in syslog from auditctl?
> > >
> > > When auditctl runs across a rule with syntax errors, the default
> action is
> > > to
> > > log it and stop. This way it causes the most noticeable thing to
> happen.
> > > However, some people don't like this behavior so they pass a
'-c'
> option
> > > near
> > > the beginning of the rules. This causes it to keep processing but
> > > ultimately
> > > return an error at exit. Some people didn't like that auditctl
> returned an
> > > error, so the '-i' option was created for people that can't be
> bothered
> > > with
> > > failure even in the face of failure.
> > >
> > > Check for a syntax error in the rules. It should be in syslog.
> > >
> > > -Steve
>
>
>