Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)

Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)

[Robert Evans]

Hi,

I'm using CentOS, kernel 2.6.18-8.el5.  I've compiled audit-1.5.6-1 and I'm 
getting USER_AUTH events (logins, su, etc...) but I'm not seeing any syscall events.

My test audit.rules works fine in RHEL4, Suse10 and Fedora, but doesn't seem to 
generate any syscall events in CentOS 5.  For testing purposes, I'm using the 
following in audit.rules:

# Log execute failures
-a exit,always -S execve -F success!=1 -F exit!=-2 -F exit!=-20 -F exit!=-17 -F 
exit!=-6

# Log administrative functions
-a exit,always -S reboot -S clock_settime -S settimeofday -S adjtimex -S 
setdomainname -S sethostname -S reboot -S mount -S umount2
-a exit,always -S swapon -S swapoff -S create_module -S delete_module -S 
quotactl -F success!=1

# Log Read/Write functions
-a exit,always -S open -S creat -S link -S symlink -S truncate -S ftruncate -S 
mknod -S rename -F success!=1 -F exit!=-2 -F exit!=-20 -F exit!=-17 -F exit!=-6

# Log file removal failures
-a exit,always -S unlink -S rmdir -F success!=1 -F exit!=-2 -F exit!=-20 -F 
exit!=-17 -F exit!=-6

# Log file modification failures
-a exit,always -S chmod -S chown -S lchown -S fchmod -S fchown -F success!=1 -F 
exit!=-2 -F exit!=-20 -F exit!=-17 -F exit!=-6

# Add watches for reboot stuff...
-w /sbin/init -p x -k runlevel
-w /sbin/telinit -p x -k runlevel
-w /sbin/halt -p x -k runlevel
-w /sbin/poweroff -p x -k runlevel
-w /sbin/reboot -p x -k runlevel
-w /sbin/shutdown -p x -k runlevel

Any ideas?

Bob

Re: Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)

[Steve Grubb]

On Friday 31 August 2007 11:40:07 Robert Evans wrote:
> I'm using CentOS, kernel 2.6.18-8.el5.  I've compiled audit-1.5.6-1 and I'm
> getting USER_AUTH events (logins, su, etc...) but I'm not seeing any
> syscall events.
>
> Any ideas?

Offhand, the rules look Ok. If you can list them back out "auditctl -l" that 
means that the syscall auditing part of the kernel is compiled in and 
partially working. Other than that, I have no idea - I don't use their 
kernel.

-Steve

Re: Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)

[Robert Evans]

Hmmm....tried auditctl -l and just got

   No rules

Not sure what that means.  Since I have /etc/audit.rules in place, does that 
indicate the syscall auditing part of the kernel is compiled in.

If it isn't what do I need to do to compile it in?

Bob

Steve Grubb wrote:
> On Friday 31 August 2007 11:40:07 Robert Evans wrote:
>  > I'm using CentOS, kernel 2.6.18-8.el5.  I've compiled audit-1.5.6-1 
> and I'm
>  > getting USER_AUTH events (logins, su, etc...) but I'm not seeing any
>  > syscall events.
>  >
>  > Any ideas?
> 
> Offhand, the rules look Ok. If you can list them back out "auditctl -l" that
> means that the syscall auditing part of the kernel is compiled in and
> partially working. Other than that, I have no idea - I don't use their
> kernel.
> 
> -Steve
> 

Re: Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)

[Steve Grubb]

On Friday 31 August 2007 13:35:22 Robert Evans wrote:
> Hmmm....tried auditctl -l and just got
>
>    No rules

OK, that's a start.

> Since I have /etc/audit.rules in place, does that indicate the syscall
> auditing part of the kernel is compiled in.

Well, that file is for user space. But on RHEL5, that file's location has 
changed. So maybe that is your problem? It should be:

/etc/audit/audit.rules

But, you can load the rules where they are by hand:

auditctl -R /etc/audit.rules 

to make sure its working. See if that doesn't fix your problem.

-Steve

Re: Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)

[Robert Evans]

Steve,

Once again...Thank you very much.  I did not realize that audit.rules had been 
placed in a new location.  I moved audit.rules to /etc/audit, restarted auditd 
and everything looks like it works fine.

Much thanks again!

Bob

Steve Grubb wrote:
> On Friday 31 August 2007 13:35:22 Robert Evans wrote:
>  > Hmmm....tried auditctl -l and just got
>  >
>  >    No rules
> 
> OK, that's a start.
> 
>  > Since I have /etc/audit.rules in place, does that indicate the syscall
>  > auditing part of the kernel is compiled in.
> 
> Well, that file is for user space. But on RHEL5, that file's location has
> changed. So maybe that is your problem? It should be:
> 
> /etc/audit/audit.rules
> 
> But, you can load the rules where they are by hand:
> 
> auditctl -R /etc/audit.rules
> 
> to make sure its working. See if that doesn't fix your problem.
> 
> -Steve
>