From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: RHEL-7 and implementing audit rules
Date: Tue, 23 Aug 2016 13:53:21 -0400
Message-ID: <2941464.ud2fYuFsZp@x2>
References: <CAJdJdQk04ctomn=KM1nhH6dm88yjHbnUXEz_c_h3fbkRineZHw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAJdJdQk04ctomn=KM1nhH6dm88yjHbnUXEz_c_h3fbkRineZHw@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, August 23, 2016 1:32:48 PM EDT warron.french wrote:
> In RHEL-6, audit rules were added directly to */etc/audit/audit.rules*, but
> it seems that it is a requirement in RHEL-7 to be placed directly in a file
> (any file?) within
> 
> */etc/audit/rules.d/.*

Well, to be honest, you can do that on RHEL6, too. And on RHEL7 you can go 
back to the old method. Just copy
/lib/systemd/system/auditd.service to /etc/systemd/system/ and edit the file to 
comment out augenrules and uncomment auditctl. On RHEL7 the default config is 
changed so that its more "enterprisey". There is also a README-rules file that 
gives some tips on using this new rules.d directory.


> I discovered this by doing some man-page reading of the audit.rules file
> after my RHEL-6-variant understanding was turned on its ear.  So, I created
> an */etc/audit/rules.d/audit.rules* and added my rules in there.
> 
> I ensured that I set "-e 1" because the value wasn't already set.  I added
> a watch rules (-w) and it at first didn't take effect; so then realized,
> "*this is RHEL-7, I have to use **systemctl* to restart services."

Actually, auditd is the one thing that cannot use systemd because of dbus 
activation. So, the service command is still what you have to use.
 
> That also didn't work.  I tested with auditctl -l and looked for my new
> rules (only 2 of them); so a reboot was committed for something else by a
> coworker, and then the *auditctl -l* command actually did display updated
> rules.  This is very confusing, but I thought nothing more about it,
> figuring it is a flaw somewhere.
> 
> Anyway, today I added an action rule (-a/Syscall Rule) and it too has not
> taken effect; not after a *service auditd restart*, not after a *systemctl
> restart auditd.service*, just nothing.  I also recently read in a community
> post, today, that systemctl doesn't handle the restart of auditd very well
> (the comment came from you Mr. Grubb).
> 
> I cannot reboot the server yet, and quite frankly I don't want to be forced
> to reboot the server everytime I add a rule - it's a lab, not production.

Run augenrules --load, you can test prior with augenrules --check

> Can someone please tell me what I am doing so wrong, with respect to
> handling audit configurations on a RHEL-7 system, and tell me how to work
> the processes correctly?

I don't know if there is a problem with systemd not honoring the ExecStartPost 
action on a restart, but that kind of sounds like what's happening.

-Steve