From mboxrd@z Thu Jan 1 00:00:00 1970 From: pg@aud.list.sabi.co.UK (Peter Grandi) Subject: Re: peculiar disappearance of most audit rules Date: Mon, 21 Apr 2014 21:49:13 +0100 Message-ID: <21333.33865.378826.157120@tree.ty.sabi.co.uk> References: <1806426.QoIu6KxFX5@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s3LKnRn4024806 for ; Mon, 21 Apr 2014 16:49:27 -0400 Received: from honeysuckle.london.02.net (honeysuckle.london.02.net [87.194.255.144]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s3LKnPOi026785 for ; Mon, 21 Apr 2014 16:49:26 -0400 Received: from ty.sabi.co.UK (94.192.123.224) by honeysuckle.london.02.net (8.5.140) id 5266D90A0651BCB4 for linux-audit@RedHat.com; Mon, 21 Apr 2014 21:55:18 +0100 Received: from from [127.0.0.1] (helo=tree.ty.sabi.co.uk) by ty.sabi.co.UK with esmtp(Exim 4.76 #1) id 1WcL9N-0007Ax-H4 for ; Mon, 21 Apr 2014 21:49:13 +0100 In-Reply-To: <1806426.QoIu6KxFX5@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux audit List-Id: linux-audit@redhat.com [ ... ] >> For example: >> time->Thu Apr 17 07:58:44 2014 >> type=CONFIG_CHANGE msg=audit(1397717924.255:37148): op="remove rule" dir="/boot" key="pkg-s" list=4 res=1 >> time->Thu Apr 17 07:59:04 2014 >> type=CONFIG_CHANGE msg=audit(1397717944.762:37151): op="remove rule" dir="/opt" key="pkg-s" list=4 res=1 >> time->Thu Apr 17 10:01:02 2014 >> type=CONFIG_CHANGE msg=audit(1397725262.301:37157): op="remove rule" dir="/fs/sozan/loc64-u12" key="pkg-l" list=4 res=1 >> time->Thu Apr 17 10:01:02 2014 >> type=CONFIG_CHANGE msg=audit(1397725262.301:37156): op="remove rule" dir="/fs/sozan/loc32-el5" key="pkg-l" list=4 res=1 > [ ... ] device and inode information. This is, technically, > what your watch is on. If the inode disappears, then the rule > is ejected. Rules can survive across renames but not > deletions. > I don't know what is managing your system, but its probably > deleting paths. I am the sole user (as far as I know...) of both systems, and I am pretty sure I was asleep at least at some of the reported times, and I can't imagine any of the system scripts deleting and recreating '/boot' and '/opt', for example. Also I checked the 'm' times of '/' and '/fs/sozan' and they are a few weeks old. None of the "disappeared" paths seems to have been modified in any way. BTW this has happened also on a far smaller scale on a Debian 7/Wheezy system. Again a system where I am the sysadm and only user, and it seems roughly at the same time as a treewalk. The vague impression I have in both cases is that there is some reason why under high load 'audit' just loses or deletes watches. Note that this was not under high _logging_ load, because the watches for '/opt' and '/boot' are to log in case of writing or attribute changes, and the treewalk is entirely (on one side) read-only. Indeed I see not even a trace of logging about those accesses. Anyhow, I have now recorded the inos of the watched directories, and I shall also run 'inotifywait -m /' to catch if possible any changes in '/opt' and '/boot'.