From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: audit.rules not fully loading into memory according to auditctl -l
Date: Wed, 12 Apr 2017 13:22:37 -0400 [thread overview]
Message-ID: <6379049.hvQU6uz606@x2> (raw)
In-Reply-To: <CAJdJdQmiE+2DAcD5sH0P1w+n0-PCgUMV-gXUYuPE7P3ieZe4zg@mail.gmail.com>
On Wednesday, April 12, 2017 12:51:03 PM EDT warron.french wrote:
> Hello, I am writing a Puppet Module to deliver updates of audit.rules and
> auditd.conf configurations to RHEL6 and RHEL7 machines.
>
> The files are laid down correctly for both RHEL6 and RHEL7 within the
> appropriate directories:
>
> - RHEL6 = /etc/audit/audit.rules, for
> - RHEL7 = /etc/audit/rules.d/audit.rules
>
> Anyway, the results for all RHEL7 machines (client versus Server) are
> perfect. The audit.rules are all laid down as expected, and after a reboot
> of the system the rules are all 100% in place - just as I need.
>
> The problem is when they are laid down on RHEL6 clients versus Servers, the
> behaviors are very different.
>
> For RHEL6 clients I have the following intentions and loaded into memory:
>
> 118 (-a) Action Rules in audit.rules file 118 Action Rules are
> loaded into memory (YAY!)
>
> * 15 (-w) Watch Rules* in audit.rules file * 15 Watch Rules are
> loaded into memory* (YAY!)
>
> 133 Total Rules in audit.rules files 133 Total Rules into
> memory (YAY!)
>
>
> For RHEL6 Server; however, I have the following results:
>
> 118 (-a) Action Rules in audit.rules file 105 Action Rules are loaded
> into memory (FAIL)
>
> * 15 (-w) Watch Rules* in audit.rules file * 0 Watch Rules are loaded
> into memory* (HUGE FAIL)
>
> 133 Total Rules in audit.rules files 105 Total Rules into memory
> (YAY!)
>
>
> This is really a big problem for me. Can someone help?
Was there anything in syslog from auditctl?
When auditctl runs across a rule with syntax errors, the default action is to
log it and stop. This way it causes the most noticeable thing to happen.
However, some people don't like this behavior so they pass a '-c' option near
the beginning of the rules. This causes it to keep processing but ultimately
return an error at exit. Some people didn't like that auditctl returned an
error, so the '-i' option was created for people that can't be bothered with
failure even in the face of failure.
Check for a syntax error in the rules. It should be in syslog.
-Steve
next prev parent reply other threads:[~2017-04-12 17:22 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-12 16:51 audit.rules not fully loading into memory according to auditctl -l warron.french
2017-04-12 17:22 ` Steve Grubb [this message]
[not found] ` <CAJdJdQnFrpkcaGLPhzzGX=VtibmHynAM4LBD2vQ+eidMYK2M8A@mail.gmail.com>
[not found] ` <2058029.S3Qy87qqTn@x2>
2017-04-12 19:00 ` warron.french
2017-04-12 19:32 ` warron.french
2017-04-12 21:01 ` Steve Grubb
2017-04-12 21:55 ` warron.french
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6379049.hvQU6uz606@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox