On Wednesday, April 12, 2017 12:51:03 PM EDT warron.french wrote:
Hello, I am writing a Puppet Module to deliver updates of audit.rules
and
auditd.conf configurations to RHEL6 and RHEL7 machines.
The files are laid down correctly for both RHEL6 and RHEL7 within the
appropriate directories:
- RHEL6 = /etc/audit/audit.rules, for
- RHEL7 = /etc/audit/rules.d/audit.rules
Anyway, the results for all RHEL7 machines (client versus Server) are
perfect. The audit.rules are all laid down as expected, and after a reboot
of the system the rules are all 100% in place - just as I need.
The problem is when they are laid down on RHEL6 clients versus Servers, the
behaviors are very different.
For RHEL6 clients I have the following intentions and loaded into memory:
118 (-a) Action Rules in audit.rules file 118 Action Rules are
loaded into memory (YAY!)
* 15 (-w) Watch Rules* in audit.rules file * 15 Watch Rules are
loaded into memory* (YAY!)
133 Total Rules in audit.rules files 133 Total Rules into
memory (YAY!)
For RHEL6 Server; however, I have the following results:
118 (-a) Action Rules in audit.rules file 105 Action Rules are loaded
into memory (FAIL)
* 15 (-w) Watch Rules* in audit.rules file * 0 Watch Rules are loaded
into memory* (HUGE FAIL)
133 Total Rules in audit.rules files 105 Total Rules into memory
(YAY!)
This is really a big problem for me. Can someone help?
Was there anything in syslog from auditctl?
When auditctl runs across a rule with syntax errors, the default action is to
log it and stop. This way it causes the most noticeable thing to happen.
However, some people don't like this behavior so they pass a '-c' option near
the beginning of the rules. This causes it to keep processing but ultimately
return an error at exit. Some people didn't like that auditctl returned an
error, so the '-i' option was created for people that can't be bothered with
failure even in the face of failure.
Check for a syntax error in the rules. It should be in syslog.
-Steve