audit.rules not fully loading into memory according to auditctl -l

audit.rules not fully loading into memory according to auditctl -l

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 1424 bytes --]

Hello, I am writing a Puppet Module to deliver updates of audit.rules and
auditd.conf configurations to RHEL6 and RHEL7 machines.

The files are laid down correctly for both RHEL6 and RHEL7 within the
appropriate directories:

   - RHEL6 = /etc/audit/audit.rules, for
   - RHEL7 = /etc/audit/rules.d/audit.rules

Anyway, the results for all RHEL7 machines (client versus Server) are
perfect.  The audit.rules are all laid down as expected, and after a reboot
of the system the rules are all 100% in place - just as I need.

The problem is when they are laid down on RHEL6 clients versus Servers, the
behaviors are very different.

For RHEL6 clients I have the following intentions and loaded into memory:

118 (-a) Action Rules in audit.rules file        118 Action Rules are
loaded into memory (YAY!)

* 15 (-w) Watch Rules* in audit.rules file       *  15 Watch Rules are
loaded into memory* (YAY!)

133 Total Rules in audit.rules files              133 Total Rules into
memory (YAY!)


For RHEL6 Server; however, I have the following results:

118 (-a) Action Rules in audit.rules file    105 Action Rules are loaded
into memory (FAIL)

* 15 (-w) Watch Rules* in audit.rules file    *   0  Watch Rules are loaded
into memory* (HUGE FAIL)

133 Total Rules in audit.rules files           105 Total Rules into memory
(YAY!)


This is really a big problem for me.  Can someone help?

--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 2070 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit.rules not fully loading into memory according to auditctl -l

[Steve Grubb]

On Wednesday, April 12, 2017 12:51:03 PM EDT warron.french wrote:
> Hello, I am writing a Puppet Module to deliver updates of audit.rules and
> auditd.conf configurations to RHEL6 and RHEL7 machines.
> 
> The files are laid down correctly for both RHEL6 and RHEL7 within the
> appropriate directories:
> 
>    - RHEL6 = /etc/audit/audit.rules, for
>    - RHEL7 = /etc/audit/rules.d/audit.rules
> 
> Anyway, the results for all RHEL7 machines (client versus Server) are
> perfect.  The audit.rules are all laid down as expected, and after a reboot
> of the system the rules are all 100% in place - just as I need.
> 
> The problem is when they are laid down on RHEL6 clients versus Servers, the
> behaviors are very different.
> 
> For RHEL6 clients I have the following intentions and loaded into memory:
> 
> 118 (-a) Action Rules in audit.rules file        118 Action Rules are
> loaded into memory (YAY!)
> 
> * 15 (-w) Watch Rules* in audit.rules file       *  15 Watch Rules are
> loaded into memory* (YAY!)
> 
> 133 Total Rules in audit.rules files              133 Total Rules into
> memory (YAY!)
> 
> 
> For RHEL6 Server; however, I have the following results:
> 
> 118 (-a) Action Rules in audit.rules file    105 Action Rules are loaded
> into memory (FAIL)
> 
> * 15 (-w) Watch Rules* in audit.rules file    *   0  Watch Rules are loaded
> into memory* (HUGE FAIL)
> 
> 133 Total Rules in audit.rules files           105 Total Rules into memory
> (YAY!)
> 
> 
> This is really a big problem for me.  Can someone help?

Was there anything in syslog from auditctl? 

When auditctl runs across a rule with syntax errors, the default action is to 
log it and stop. This way it causes the most noticeable thing to happen. 
However, some people don't like this behavior so they pass a '-c' option near 
the beginning of the rules. This causes it to keep processing but ultimately 
return an error at exit. Some people didn't like that auditctl returned an 
error, so the '-i' option was created for people that can't be bothered with 
failure even in the face of failure.

Check for a syntax error in the rules. It should be in syslog.

-Steve

Re: audit.rules not fully loading into memory according to auditctl -l

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 6013 bytes --]

Yes, certainly.

I had a 1.7GB messages file in /var/log; so I moved it manually out of the
way.  Then I rebooted.

After doing that, I didn't see anything at all about auditd in the new
/var/log/messages.

I have finally gotten it down to 13 audit rules, all still Action Rules
only for some reason, that are not loading into memory from
/etc/audit/audit.rules.
Those action rules are using -F path= attributes.

What is really interesting is that I have other action rules using -F path=
that are getting into memory!

These are the files that are not:
/usr/libexec/kde4/kdesud
/usr/libexec/openssh/ssh-keysign
/usr/libexec/polkit-1/polkit-agent-helper-1
/usr/libexec/pt_chown
/usr/libexec/utempter/utempter
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/sbin/lockdev
/usr/sbin/postdrop
/usr/sbin/postqueue
/usr/sbin/suexec
/usr/sbin/userhelper
/usr/sbin/usernetctl

I did the following to evaluate---
for FIL in `cat audit_action_rules_File | grep -v "^#" | awk '{ print $4 }'
| cut -d= -f 2`; do
   echo "Checking for ${FIL}."
   if [ -f ${FIL} ]; then
      echo "${FIL} is present."
   else
      echo "The file ${FIL} is not present."
   fi
done

Checking for /usr/libexec/kde4/kdesud.
*The file /usr/libexec/kde4/kdesud is not present.*
Checking for /usr/libexec/openssh/ssh-keysign.
/usr/libexec/openssh/ssh-keysign is present.
Checking for /usr/libexec/polkit-1/polkit-agent-helper-1.
/usr/libexec/polkit-1/polkit-agent-helper-1 is present.
Checking for /usr/libexec/pt_chown.
/usr/libexec/pt_chown is present.
Checking for /usr/libexec/utempter/utempter.
/usr/libexec/utempter/utempter is present.
Checking for /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper.
*The file /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper is not
present.*
Checking for /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper.
*The file /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper is not
present.*
Checking for /usr/sbin/lockdev.
/usr/sbin/lockdev is present.
Checking for /usr/sbin/postdrop.
/usr/sbin/postdrop is present.
Checking for /usr/sbin/postqueue.
/usr/sbin/postqueue is present.
Checking for /usr/sbin/suexec.
/usr/sbin/suexec is present.
Checking for /usr/sbin/userhelper.
/usr/sbin/userhelper is present.
Checking for /usr/sbin/usernetctl.
/usr/sbin/usernetctl is present.

I am still missing all 15 Watch rules in memory.


--------------------------
Warron French


On Wed, Apr 12, 2017 at 2:05 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, April 12, 2017 1:40:51 PM EDT warron.french wrote:
> > Didn't know to check there.
>
> Shouldn't we keep the discussion on the mail list so others can learn from
> it?
>
> -Steve
>
> > Also, I noticed something interesting after tracing through rules I
> > captured from audit.rules (and sorting) and capturing rules from auditctl
> > (also sorting).
> >
> > Here are some things I observed:
> >
> >    1.  -a  -F path= <path/to/file> are not getting loaded at all.
> >    2. -a -S call1 -S call2 -S call3 -S callN are being altered into a
> >    relative format  of   -a -S call1,call2,call3,callN       (I was not
> >    expecting this at all).
> >
> > I will look at the syslog output from auditctl in /var/log/messages
> > (correct?).
> >
> >
> >
> > --------------------------
> > Warron French
> >
> > On Wed, Apr 12, 2017 at 1:22 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Wednesday, April 12, 2017 12:51:03 PM EDT warron.french wrote:
> > > > Hello, I am writing a Puppet Module to deliver updates of audit.rules
> > > > and
> > > > auditd.conf configurations to RHEL6 and RHEL7 machines.
> > > >
> > > > The files are laid down correctly for both RHEL6 and RHEL7 within the
> > > >
> > > > appropriate directories:
> > > >    - RHEL6 = /etc/audit/audit.rules, for
> > > >    - RHEL7 = /etc/audit/rules.d/audit.rules
> > > >
> > > > Anyway, the results for all RHEL7 machines (client versus Server) are
> > > > perfect.  The audit.rules are all laid down as expected, and after a
> > >
> > > reboot
> > >
> > > > of the system the rules are all 100% in place - just as I need.
> > > >
> > > > The problem is when they are laid down on RHEL6 clients versus
> Servers,
> > >
> > > the
> > >
> > > > behaviors are very different.
> > > >
> > > > For RHEL6 clients I have the following intentions and loaded into
> > > > memory:
> > > >
> > > > 118 (-a) Action Rules in audit.rules file        118 Action Rules are
> > > > loaded into memory (YAY!)
> > > >
> > > > * 15 (-w) Watch Rules* in audit.rules file       *  15 Watch Rules
> are
> > > > loaded into memory* (YAY!)
> > > >
> > > > 133 Total Rules in audit.rules files              133 Total Rules
> into
> > > > memory (YAY!)
> > > >
> > > >
> > > > For RHEL6 Server; however, I have the following results:
> > > >
> > > > 118 (-a) Action Rules in audit.rules file    105 Action Rules are
> loaded
> > > > into memory (FAIL)
> > > >
> > > > * 15 (-w) Watch Rules* in audit.rules file    *   0  Watch Rules are
> > >
> > > loaded
> > >
> > > > into memory* (HUGE FAIL)
> > > >
> > > > 133 Total Rules in audit.rules files           105 Total Rules into
> > >
> > > memory
> > >
> > > > (YAY!)
> > > >
> > > >
> > > > This is really a big problem for me.  Can someone help?
> > >
> > > Was there anything in syslog from auditctl?
> > >
> > > When auditctl runs across a rule with syntax errors, the default
> action is
> > > to
> > > log it and stop. This way it causes the most noticeable thing to
> happen.
> > > However, some people don't like this behavior so they pass a '-c'
> option
> > > near
> > > the beginning of the rules. This causes it to keep processing but
> > > ultimately
> > > return an error at exit. Some people didn't like that auditctl
> returned an
> > > error, so the '-i' option was created for people that can't be bothered
> > > with
> > > failure even in the face of failure.
> > >
> > > Check for a syntax error in the rules. It should be in syslog.
> > >
> > > -Steve
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 8847 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit.rules not fully loading into memory according to auditctl -l

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 7268 bytes --]

Watch (-w) rules not in memory:

[root@wfrench-rhel68s-001 audit]# grep -e "-w " audit.rules
-w /etc/group -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/localtime -p wa -k audit_time_rules
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
-w /etc/selinux/ -p wa -k MAC-policy
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/sudoers -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications

These files do all exist on the system.  I still don't understand what's
going on.



--------------------------
Warron French


On Wed, Apr 12, 2017 at 3:00 PM, warron.french <warron.french@gmail.com>
wrote:

> Yes, certainly.
>
> I had a 1.7GB messages file in /var/log; so I moved it manually out of the
> way.  Then I rebooted.
>
> After doing that, I didn't see anything at all about auditd in the new
> /var/log/messages.
>
> I have finally gotten it down to 13 audit rules, all still Action Rules
> only for some reason, that are not loading into memory from
> /etc/audit/audit.rules.
> Those action rules are using -F path= attributes.
>
> What is really interesting is that I have other action rules using -F
> path= that are getting into memory!
>
> These are the files that are not:
> /usr/libexec/kde4/kdesud
> /usr/libexec/openssh/ssh-keysign
> /usr/libexec/polkit-1/polkit-agent-helper-1
> /usr/libexec/pt_chown
> /usr/libexec/utempter/utempter
> /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
> /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
> /usr/sbin/lockdev
> /usr/sbin/postdrop
> /usr/sbin/postqueue
> /usr/sbin/suexec
> /usr/sbin/userhelper
> /usr/sbin/usernetctl
>
> I did the following to evaluate---
> for FIL in `cat audit_action_rules_File | grep -v "^#" | awk '{ print $4
> }' | cut -d= -f 2`; do
>    echo "Checking for ${FIL}."
>    if [ -f ${FIL} ]; then
>       echo "${FIL} is present."
>    else
>       echo "The file ${FIL} is not present."
>    fi
> done
>
> Checking for /usr/libexec/kde4/kdesud.
> *The file /usr/libexec/kde4/kdesud is not present.*
> Checking for /usr/libexec/openssh/ssh-keysign.
> /usr/libexec/openssh/ssh-keysign is present.
> Checking for /usr/libexec/polkit-1/polkit-agent-helper-1.
> /usr/libexec/polkit-1/polkit-agent-helper-1 is present.
> Checking for /usr/libexec/pt_chown.
> /usr/libexec/pt_chown is present.
> Checking for /usr/libexec/utempter/utempter.
> /usr/libexec/utempter/utempter is present.
> Checking for /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper.
> *The file /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper is not
> present.*
> Checking for /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper.
> *The file /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper is not
> present.*
> Checking for /usr/sbin/lockdev.
> /usr/sbin/lockdev is present.
> Checking for /usr/sbin/postdrop.
> /usr/sbin/postdrop is present.
> Checking for /usr/sbin/postqueue.
> /usr/sbin/postqueue is present.
> Checking for /usr/sbin/suexec.
> /usr/sbin/suexec is present.
> Checking for /usr/sbin/userhelper.
> /usr/sbin/userhelper is present.
> Checking for /usr/sbin/usernetctl.
> /usr/sbin/usernetctl is present.
>
> I am still missing all 15 Watch rules in memory.
>
>
> --------------------------
> Warron French
>
>
> On Wed, Apr 12, 2017 at 2:05 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Wednesday, April 12, 2017 1:40:51 PM EDT warron.french wrote:
>> > Didn't know to check there.
>>
>> Shouldn't we keep the discussion on the mail list so others can learn
>> from it?
>>
>> -Steve
>>
>> > Also, I noticed something interesting after tracing through rules I
>> > captured from audit.rules (and sorting) and capturing rules from
>> auditctl
>> > (also sorting).
>> >
>> > Here are some things I observed:
>> >
>> >    1.  -a  -F path= <path/to/file> are not getting loaded at all.
>> >    2. -a -S call1 -S call2 -S call3 -S callN are being altered into a
>> >    relative format  of   -a -S call1,call2,call3,callN       (I was not
>> >    expecting this at all).
>> >
>> > I will look at the syslog output from auditctl in /var/log/messages
>> > (correct?).
>> >
>> >
>> >
>> > --------------------------
>> > Warron French
>> >
>> > On Wed, Apr 12, 2017 at 1:22 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> > > On Wednesday, April 12, 2017 12:51:03 PM EDT warron.french wrote:
>> > > > Hello, I am writing a Puppet Module to deliver updates of
>> audit.rules
>> > > > and
>> > > > auditd.conf configurations to RHEL6 and RHEL7 machines.
>> > > >
>> > > > The files are laid down correctly for both RHEL6 and RHEL7 within
>> the
>> > > >
>> > > > appropriate directories:
>> > > >    - RHEL6 = /etc/audit/audit.rules, for
>> > > >    - RHEL7 = /etc/audit/rules.d/audit.rules
>> > > >
>> > > > Anyway, the results for all RHEL7 machines (client versus Server)
>> are
>> > > > perfect.  The audit.rules are all laid down as expected, and after a
>> > >
>> > > reboot
>> > >
>> > > > of the system the rules are all 100% in place - just as I need.
>> > > >
>> > > > The problem is when they are laid down on RHEL6 clients versus
>> Servers,
>> > >
>> > > the
>> > >
>> > > > behaviors are very different.
>> > > >
>> > > > For RHEL6 clients I have the following intentions and loaded into
>> > > > memory:
>> > > >
>> > > > 118 (-a) Action Rules in audit.rules file        118 Action Rules
>> are
>> > > > loaded into memory (YAY!)
>> > > >
>> > > > * 15 (-w) Watch Rules* in audit.rules file       *  15 Watch Rules
>> are
>> > > > loaded into memory* (YAY!)
>> > > >
>> > > > 133 Total Rules in audit.rules files              133 Total Rules
>> into
>> > > > memory (YAY!)
>> > > >
>> > > >
>> > > > For RHEL6 Server; however, I have the following results:
>> > > >
>> > > > 118 (-a) Action Rules in audit.rules file    105 Action Rules are
>> loaded
>> > > > into memory (FAIL)
>> > > >
>> > > > * 15 (-w) Watch Rules* in audit.rules file    *   0  Watch Rules are
>> > >
>> > > loaded
>> > >
>> > > > into memory* (HUGE FAIL)
>> > > >
>> > > > 133 Total Rules in audit.rules files           105 Total Rules into
>> > >
>> > > memory
>> > >
>> > > > (YAY!)
>> > > >
>> > > >
>> > > > This is really a big problem for me.  Can someone help?
>> > >
>> > > Was there anything in syslog from auditctl?
>> > >
>> > > When auditctl runs across a rule with syntax errors, the default
>> action is
>> > > to
>> > > log it and stop. This way it causes the most noticeable thing to
>> happen.
>> > > However, some people don't like this behavior so they pass a '-c'
>> option
>> > > near
>> > > the beginning of the rules. This causes it to keep processing but
>> > > ultimately
>> > > return an error at exit. Some people didn't like that auditctl
>> returned an
>> > > error, so the '-i' option was created for people that can't be
>> bothered
>> > > with
>> > > failure even in the face of failure.
>> > >
>> > > Check for a syntax error in the rules. It should be in syslog.
>> > >
>> > > -Steve
>>
>>
>>
>

[-- Attachment #1.2: Type: text/html, Size: 10631 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit.rules not fully loading into memory according to auditctl -l

[Steve Grubb]

On Wednesday, April 12, 2017 3:00:59 PM EDT warron.french wrote:
> Yes, certainly.
> 
> I had a 1.7GB messages file in /var/log; so I moved it manually out of the
> way.  Then I rebooted.
> 
> After doing that, I didn't see anything at all about auditd in the new
> /var/log/messages.

It will probably be auditctl rather than auditd. Auditctl is noisy on any 
problems, try loading the rules by hand:

auditctl -R /etc/audit/audit.rules

-Steve

> I have finally gotten it down to 13 audit rules, all still Action Rules
> only for some reason, that are not loading into memory from
> /etc/audit/audit.rules.
> Those action rules are using -F path= attributes.
> 
> What is really interesting is that I have other action rules using -F path=
> that are getting into memory!
> 
> These are the files that are not:
> /usr/libexec/kde4/kdesud
> /usr/libexec/openssh/ssh-keysign
> /usr/libexec/polkit-1/polkit-agent-helper-1
> /usr/libexec/pt_chown
> /usr/libexec/utempter/utempter
> /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
> /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
> /usr/sbin/lockdev
> /usr/sbin/postdrop
> /usr/sbin/postqueue
> /usr/sbin/suexec
> /usr/sbin/userhelper
> /usr/sbin/usernetctl
> 
> I did the following to evaluate---
> for FIL in `cat audit_action_rules_File | grep -v "^#" | awk '{ print $4 }'
> 
> | cut -d= -f 2`; do
> 
>    echo "Checking for ${FIL}."
>    if [ -f ${FIL} ]; then
>       echo "${FIL} is present."
>    else
>       echo "The file ${FIL} is not present."
>    fi
> done

Re: audit.rules not fully loading into memory according to auditctl -l

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 1809 bytes --]

OK, I will have to try this tomorrow.  I have to go home now.


--------------------------
Warron French


On Wed, Apr 12, 2017 at 5:01 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, April 12, 2017 3:00:59 PM EDT warron.french wrote:
> > Yes, certainly.
> >
> > I had a 1.7GB messages file in /var/log; so I moved it manually out of
> the
> > way.  Then I rebooted.
> >
> > After doing that, I didn't see anything at all about auditd in the new
> > /var/log/messages.
>
> It will probably be auditctl rather than auditd. Auditctl is noisy on any
> problems, try loading the rules by hand:
>
> auditctl -R /etc/audit/audit.rules
>
> -Steve
>
> > I have finally gotten it down to 13 audit rules, all still Action Rules
> > only for some reason, that are not loading into memory from
> > /etc/audit/audit.rules.
> > Those action rules are using -F path= attributes.
> >
> > What is really interesting is that I have other action rules using -F
> path=
> > that are getting into memory!
> >
> > These are the files that are not:
> > /usr/libexec/kde4/kdesud
> > /usr/libexec/openssh/ssh-keysign
> > /usr/libexec/polkit-1/polkit-agent-helper-1
> > /usr/libexec/pt_chown
> > /usr/libexec/utempter/utempter
> > /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
> > /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
> > /usr/sbin/lockdev
> > /usr/sbin/postdrop
> > /usr/sbin/postqueue
> > /usr/sbin/suexec
> > /usr/sbin/userhelper
> > /usr/sbin/usernetctl
> >
> > I did the following to evaluate---
> > for FIL in `cat audit_action_rules_File | grep -v "^#" | awk '{ print $4
> }'
> >
> > | cut -d= -f 2`; do
> >
> >    echo "Checking for ${FIL}."
> >    if [ -f ${FIL} ]; then
> >       echo "${FIL} is present."
> >    else
> >       echo "The file ${FIL} is not present."
> >    fi
> > done
>
>

[-- Attachment #1.2: Type: text/html, Size: 2834 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]