From mboxrd@z Thu Jan 1 00:00:00 1970 From: pg@aud.list.sabi.co.UK (Peter Grandi) Subject: peculiar disappearance of most audit rules Date: Mon, 21 Apr 2014 18:49:24 +0100 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s3LHpnNh029187 for ; Mon, 21 Apr 2014 13:51:49 -0400 Received: from honeysuckle.london.02.net (honeysuckle.london.02.net [87.194.255.144]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s3LHpjq5012236 for ; Mon, 21 Apr 2014 13:51:46 -0400 Received: from ty.sabi.co.UK (94.192.123.224) by honeysuckle.london.02.net (8.5.140) id 5266D90A06516C43 for linux-audit@RedHat.com; Mon, 21 Apr 2014 18:56:12 +0100 Received: from from [127.0.0.1] (helo=tree.ty.sabi.co.uk) by ty.sabi.co.UK with esmtp(Exim 4.76 #1) id 1WcILM-0005hV-T5 for ; Mon, 21 Apr 2014 18:49:24 +0100 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux audit List-Id: linux-audit@redhat.com Hi, I have started using 'auditd', mostly to monitor various directories where packages get installed to check for changes in their contents, with rules like: -w /bin -p wa -k pkg-s -w /boot -p wa -k pkg-s -w /etc -p wa -k pkg-s -w /lib -p wa -k pkg-s -w /lib32 -p wa -k pkg-s -w /lib64 -p wa -k pkg-s -w /opt -p wa -k pkg-s -w /usr -p wa -k pkg-s -w /fs/sozan/loc -p wa -k pkg-l -w /fs/sozan/loc32-el5 -p wa -k pkg-l -w /fs/sozan/loc64-u12 -p wa -k pkg-l -w /fs/sozan/com -p wa -k pkg-l -w /fs/sozan/com32-el5 -p wa -k pkg-l -w /fs/sozan/com64-u12 -p wa -k pkg-l After setting them, I can verify that for example creating, updating and deleting a file in '/boot' or '/opt' gets reported. Wheat then happens is that even if I set 'auditctl -e 2' some of the rules disappear, usually at around the same time as 'cron.daily' scripts run, and some more disappear later. This usually seems to relate to times where there some significant IO activity ('mlocate' scan, backup), but this is a guess. For example: time->Thu Apr 17 07:58:44 2014 type=CONFIG_CHANGE msg=audit(1397717924.255:37148): op="remove rule" dir="/boot" key="pkg-s" list=4 res=1 time->Thu Apr 17 07:59:04 2014 type=CONFIG_CHANGE msg=audit(1397717944.762:37151): op="remove rule" dir="/opt" key="pkg-s" list=4 res=1 time->Thu Apr 17 10:01:02 2014 type=CONFIG_CHANGE msg=audit(1397725262.301:37157): op="remove rule" dir="/fs/sozan/loc64-u12" key="pkg-l" list=4 res=1 time->Thu Apr 17 10:01:02 2014 type=CONFIG_CHANGE msg=audit(1397725262.301:37156): op="remove rule" dir="/fs/sozan/loc32-el5" key="pkg-l" list=4 res=1 There is no equivalent line in 'dmesg'. I understand that the 'audit' kernel modules may remove rules if they refer to invalid paths, but all the relevant directories do exist, as for example '/boot' and '/opt' are the standard usual directories in the "root" tree itself: $ ls -ldn /boot /opt /fs/sozan/loc64-u12 /fs/sozan/loc32-el5 drwxr-xr-x 3 0 0 4096 Apr 21 07:22 /boot drwxrwsr-x 7 1 1 61 Jul 30 2011 /fs/sozan/loc32-el5 drwxrwsr-x 5 1 1 39 Oct 4 2011 /fs/sozan/loc64-u12 drwxr-xr-x 7 0 0 4096 Apr 20 14:52 /opt $ df /boot/. /opt/. /fs/sozan/loc64-u12/. /fs/sozan/loc32-el5/. Filesystem 1M-blocks Used Available Use% Mounted on /dev/sda3 24815 16853 4106 81% / /dev/sda3 24815 16853 4106 81% / /dev/sda6 90048 82355 7694 92% /fs/sozan /dev/sda6 90048 82355 7694 92% /fs/sozan This is happening on two similarly configured Ubuntu 12.04 systems with both 3.2 and 3.11 Ubuntu "official" kernels. I also have an AppArmor configuration which seem to trigger bugs in AppArmor, but all the relative profiles are essentially unchanged. Eventually around almost all of the rules I have set "disappear". For example of all these rules: LIST_RULES: exit,always dir=/fs/sozan/search (0x10) perm=r key=pkg-r LIST_RULES: exit,always dir=/fs/sozan/mlocate (0x11) perm=r key=pkg-r .... LIST_RULES: exit,always dir=/bin (0x4) perm=wa key=pkg-s LIST_RULES: exit,always dir=/boot (0x5) perm=wa key=pkg-s LIST_RULES: exit,always dir=/etc (0x4) perm=wa key=pkg-s LIST_RULES: exit,always dir=/lib (0x4) perm=wa key=pkg-s LIST_RULES: exit,always dir=/lib32 (0x6) perm=wa key=pkg-s LIST_RULES: exit,always dir=/lib64 (0x6) perm=wa key=pkg-s LIST_RULES: exit,always dir=/opt (0x4) perm=wa key=pkg-s LIST_RULES: exit,always dir=/usr (0x4) perm=wa key=pkg-s LIST_RULES: exit,always dir=/fs/sozan/loc (0xd) perm=wa key=pkg-l LIST_RULES: exit,always dir=/fs/sozan/loc32-el5 (0x13) perm=wa key=pkg-l LIST_RULES: exit,always dir=/fs/sozan/loc64-u12 (0x13) perm=wa key=pkg-l LIST_RULES: exit,always dir=/fs/sozan/com (0xd) perm=wa key=pkg-l LIST_RULES: exit,always dir=/fs/sozan/com32-el5 (0x13) perm=wa key=pkg-l LIST_RULES: exit,always dir=/fs/sozan/com64-u12 (0x13) perm=wa key=pkg-l Only the first two have not "disappeared" on one of the systems. This is rather peculiar, please let me know if it is a configuration error, an issue, and any fixes or workaround if available (other than running 'auditctl -R /etc/audit/audit.rules' every few minutes via CRON).