From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: RHEL-7 and implementing audit rules
Date: Tue, 23 Aug 2016 13:53:21 -0400 [thread overview]
Message-ID: <2941464.ud2fYuFsZp@x2> (raw)
In-Reply-To: <CAJdJdQk04ctomn=KM1nhH6dm88yjHbnUXEz_c_h3fbkRineZHw@mail.gmail.com>
On Tuesday, August 23, 2016 1:32:48 PM EDT warron.french wrote:
> In RHEL-6, audit rules were added directly to */etc/audit/audit.rules*, but
> it seems that it is a requirement in RHEL-7 to be placed directly in a file
> (any file?) within
>
> */etc/audit/rules.d/.*
Well, to be honest, you can do that on RHEL6, too. And on RHEL7 you can go
back to the old method. Just copy
/lib/systemd/system/auditd.service to /etc/systemd/system/ and edit the file to
comment out augenrules and uncomment auditctl. On RHEL7 the default config is
changed so that its more "enterprisey". There is also a README-rules file that
gives some tips on using this new rules.d directory.
> I discovered this by doing some man-page reading of the audit.rules file
> after my RHEL-6-variant understanding was turned on its ear. So, I created
> an */etc/audit/rules.d/audit.rules* and added my rules in there.
>
> I ensured that I set "-e 1" because the value wasn't already set. I added
> a watch rules (-w) and it at first didn't take effect; so then realized,
> "*this is RHEL-7, I have to use **systemctl* to restart services."
Actually, auditd is the one thing that cannot use systemd because of dbus
activation. So, the service command is still what you have to use.
> That also didn't work. I tested with auditctl -l and looked for my new
> rules (only 2 of them); so a reboot was committed for something else by a
> coworker, and then the *auditctl -l* command actually did display updated
> rules. This is very confusing, but I thought nothing more about it,
> figuring it is a flaw somewhere.
>
> Anyway, today I added an action rule (-a/Syscall Rule) and it too has not
> taken effect; not after a *service auditd restart*, not after a *systemctl
> restart auditd.service*, just nothing. I also recently read in a community
> post, today, that systemctl doesn't handle the restart of auditd very well
> (the comment came from you Mr. Grubb).
>
> I cannot reboot the server yet, and quite frankly I don't want to be forced
> to reboot the server everytime I add a rule - it's a lab, not production.
Run augenrules --load, you can test prior with augenrules --check
> Can someone please tell me what I am doing so wrong, with respect to
> handling audit configurations on a RHEL-7 system, and tell me how to work
> the processes correctly?
I don't know if there is a problem with systemd not honoring the ExecStartPost
action on a restart, but that kind of sounds like what's happening.
-Steve
prev parent reply other threads:[~2016-08-23 17:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-23 17:32 RHEL-7 and implementing audit rules warron.french
2016-08-23 17:53 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2941464.ud2fYuFsZp@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox