From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Rules mysteriously flushed Date: Mon, 20 May 2013 09:58:18 -0400 Message-ID: <1467399.dDy5cIsklu@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: John Barnes Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, May 20, 2013 11:04:30 AM John Barnes wrote: > I set up 4 simple audit rules using audictl: > > auditctl -w "/path/to/my/bin0" -p x > auditctl -w "/path/to/my/bin1" -p x > > The rules were applied and show in auditctl -l. I tested them and > they successfully log the execution of both binaries. > > However the rules were mysteriously flushed with only > the following available in ausearch -m CONFIG_CHANGE: > > time->Sat May 18 00:03:19 2013 > > type=CONFIG_CHANGE msg=audit(1368831799.081:466947): auid=4294967295 > ses=4294967295 op="remove rule" path="/path/to/my/bin0" key=(null) list=4 > res=1 > > time->Sat May 18 00:03:19 2013 > > type=CONFIG_CHANGE msg=audit(1368831799.081:466948): auid=4294967295 > ses=4294967295 op="remove rule" path="/path/to/my/bin1" key=(null) list=4 > res=1 > > The uid doesn't match any known user so I presume these are initiated by > the kernel. Yes, these are -1, which is unset. This event is created by the kernel. > The system wasn't under any pressure at the time (mem/load > average fine), there was plenty of disk space available in all volumes, and > the auditd was not restarted and the logs were not rotated. > > Is there anything that can cause the rules to be flushed in this way? It's > a little concerning that they've just disappeared. I think if your file is deleted, then it removes the associated rule. -Steve