I found it out
auditctl -l did not list rule as loaded, I checked logs of auditd deeper
and found it stopped loading rules at some point due to duplicated rule,
after sorting that out, it loaded all rules correctly, sorry for trouble
On Sun, Jan 29, 2017 at 10:40 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2017-01-28 13:16, Damian Tykałowski wrote:
> Hi
Hi Damian,
> I'm struggling to get proper auditing of usage of power commands, here's
> what I've got in rules
>
> [root@host01 ~]# cat /etc/audit/audit.rules | grep power
> -w /sbin/shutdown -p rwx -k power
> -w /sbin/poweroff -p rwx -k power
> -w /sbin/reboot -p rwx -k power
> -w /sbin/halt -p rwx -k power
> -w shutdown -p rwx -k power
> -w poweroff -p rwx -k power
> -w reboot -p rwx -k power
> -w halt -p rwx -k power
>
> However despite full host reboot/refreshing rules I'm not getting events
> with proper key "power"
>
> [root@host01 ~]# cat /var/log/audit/audit.log | grep power
> <empty>
>
> Events are logged though but without key
>
> type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004
> ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='cwd="/home/user01" cmd="reboot" terminal=pts/0
res=success'
>
> type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004
> ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='cwd="/home/user01" cmd="reboot" terminal=pts/0
res=success'
>
> Any idea what is wrong? Rules with other keys seems to work.
I suspect you have another rule that is catching it first?
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635