From: Steve Grubb <sgrubb@redhat.com>
To: John Barnes <jbarnes.1024.700@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: Rules mysteriously flushed
Date: Mon, 20 May 2013 09:58:18 -0400 [thread overview]
Message-ID: <1467399.dDy5cIsklu@x2> (raw)
In-Reply-To: <CAJ7B0t_Zau0hvrnSJwW2vkhMTT0CAuZ3MnWGJN3gq6K69jd_1A@mail.gmail.com>
On Monday, May 20, 2013 11:04:30 AM John Barnes wrote:
> I set up 4 simple audit rules using audictl:
>
> auditctl -w "/path/to/my/bin0" -p x
> auditctl -w "/path/to/my/bin1" -p x
>
> The rules were applied and show in auditctl -l. I tested them and
> they successfully log the execution of both binaries.
>
> However the rules were mysteriously flushed with only
> the following available in ausearch -m CONFIG_CHANGE:
>
> time->Sat May 18 00:03:19 2013
>
> type=CONFIG_CHANGE msg=audit(1368831799.081:466947): auid=4294967295
> ses=4294967295 op="remove rule" path="/path/to/my/bin0" key=(null) list=4
> res=1
>
> time->Sat May 18 00:03:19 2013
>
> type=CONFIG_CHANGE msg=audit(1368831799.081:466948): auid=4294967295
> ses=4294967295 op="remove rule" path="/path/to/my/bin1" key=(null) list=4
> res=1
>
> The uid doesn't match any known user so I presume these are initiated by
> the kernel.
Yes, these are -1, which is unset. This event is created by the kernel.
> The system wasn't under any pressure at the time (mem/load
> average fine), there was plenty of disk space available in all volumes, and
> the auditd was not restarted and the logs were not rotated.
>
> Is there anything that can cause the rules to be flushed in this way? It's
> a little concerning that they've just disappeared.
I think if your file is deleted, then it removes the associated rule.
-Steve
next parent reply other threads:[~2013-05-20 13:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAJ7B0t_Zau0hvrnSJwW2vkhMTT0CAuZ3MnWGJN3gq6K69jd_1A@mail.gmail.com>
2013-05-20 13:58 ` Steve Grubb [this message]
2013-05-20 14:38 ` Rules mysteriously flushed John Barnes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1467399.dDy5cIsklu@x2 \
--to=sgrubb@redhat.com \
--cc=jbarnes.1024.700@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.