From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: RHEL-7 and implementing audit rules
Date: Tue, 23 Aug 2016 13:53:21 -0400 [thread overview]
Message-ID: <2941464.ud2fYuFsZp@x2> (raw)
In-Reply-To: <CAJdJdQk04ctomn=KM1nhH6dm88yjHbnUXEz_c_h3fbkRineZHw@mail.gmail.com>
On Tuesday, August 23, 2016 1:32:48 PM EDT warron.french wrote:
> In RHEL-6, audit rules were added directly to */etc/audit/audit.rules*, but
> it seems that it is a requirement in RHEL-7 to be placed directly in a file
> (any file?) within
>
> */etc/audit/rules.d/.*
Well, to be honest, you can do that on RHEL6, too. And on RHEL7 you can go
back to the old method. Just copy
/lib/systemd/system/auditd.service to /etc/systemd/system/ and edit the file to
comment out augenrules and uncomment auditctl. On RHEL7 the default config is
changed so that its more "enterprisey". There is also a README-rules file that
gives some tips on using this new rules.d directory.
> I discovered this by doing some man-page reading of the audit.rules file
> after my RHEL-6-variant understanding was turned on its ear. So, I created
> an */etc/audit/rules.d/audit.rules* and added my rules in there.
>
> I ensured that I set "-e 1" because the value wasn't already set. I added
> a watch rules (-w) and it at first didn't take effect; so then realized,
> "*this is RHEL-7, I have to use **systemctl* to restart services."
Actually, auditd is the one thing that cannot use systemd because of dbus
activation. So, the service command is still what you have to use.
> That also didn't work. I tested with auditctl -l and looked for my new
> rules (only 2 of them); so a reboot was committed for something else by a
> coworker, and then the *auditctl -l* command actually did display updated
> rules. This is very confusing, but I thought nothing more about it,
> figuring it is a flaw somewhere.
>
> Anyway, today I added an action rule (-a/Syscall Rule) and it too has not
> taken effect; not after a *service auditd restart*, not after a *systemctl
> restart auditd.service*, just nothing. I also recently read in a community
> post, today, that systemctl doesn't handle the restart of auditd very well
> (the comment came from you Mr. Grubb).
>
> I cannot reboot the server yet, and quite frankly I don't want to be forced
> to reboot the server everytime I add a rule - it's a lab, not production.
Run augenrules --load, you can test prior with augenrules --check
> Can someone please tell me what I am doing so wrong, with respect to
> handling audit configurations on a RHEL-7 system, and tell me how to work
> the processes correctly?
I don't know if there is a problem with systemd not honoring the ExecStartPost
action on a restart, but that kind of sounds like what's happening.
-Steve
prev parent reply other threads:[~2016-08-23 17:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-23 17:32 RHEL-7 and implementing audit rules warron.french
2016-08-23 17:53 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2941464.ud2fYuFsZp@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.