Yes, I also have watch rules for files in /etc and those do not seem to be a problem.
Such as:
-w /etc/sudoers -p rwxa -k sro
-----Original Message-----
From: Peter Moody [mailto:pmoody@google.com]
Sent: Friday, July 13, 2012 12:47 PM
To: Vaughn, Chad M
Cc: linux-audit(a)redhat.com
Subject: EXTERNAL: Re: Issues with auditd kernel panic and nfs mounts
On Fri, Jul 13, 2012 at 10:35 AM, Vaughn, Chad M <chad.m.vaughn(a)lmco.com> wrote:
Has anybody had any issues with auditd causing a panic upon restart
or
shutdown? We are using Redhat 5.4 with base auditd. We have diskless
clients, thus the /etc and /var are being served from an NFS server.
The following rules cause the system to panic when we try to /etc/init.d/auditd
restart or just shut the system down. We have hundreds of other Redhat
clients with local disks and have not had any problems with these
rules until we tried diskless and NFS.
We can comment out the rules listed below and then no problem, but we
want to watch /etc and /var. I assume it's something to do with NFS
but can't track it down. Any ideas? Thanks.
There was an issue with watch rules. Eric had a patch back in April that I thought was
supposed to land upstream for 3.5 but I don't see it on
git.kernel.org.
I'm not sure if this would be affecting you since I think the -F dir= are tree rules
rather than watch rules. Do you have any actual watch rules installed?
Example of rules entries that are expected to be causing issues:
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100
-F
auid!=4294967295 -F dir=/etc -k sro
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100
-F
auid!=4294967295 -F dir=/var -k sro
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=100 -F auid!=4294967295 -F dir=/etc -k sro
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=100 -F auid!=4294967295 -F dir=/var -k sro
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F
auid!=4294967295 -F dir=/etc -k sro
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F
auid!=4294967295 -F dir=/var -k sro
--
Regards,
Chad Vaughn
chad.m.vaughn(a)lmco.com
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038