* RHEL-7 and implementing audit rules
@ 2016-08-23 17:32 warron.french
2016-08-23 17:53 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: warron.french @ 2016-08-23 17:32 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1885 bytes --]
Hi, I am back again.
I have some experience and a great deal more comfort with the Linux Audit
configurations nowadays. I learned an aweful lot by working with CentOS-6;
however, this question is focused purely on RHEL-7.
In RHEL-6, audit rules were added directly to */etc/audit/audit.rules*, but
it seems that it is a requirement in RHEL-7 to be placed directly in a file
(any file?) within
*/etc/audit/rules.d/.*
I discovered this by doing some man-page reading of the audit.rules file
after my RHEL-6-variant understanding was turned on its ear. So, I created
an */etc/audit/rules.d/audit.rules* and added my rules in there.
I ensured that I set "-e 1" because the value wasn't already set. I added
a watch rules (-w) and it at first didn't take effect; so then realized, "*this
is RHEL-7, I have to use **systemctl* to restart services."
That also didn't work. I tested with auditctl -l and looked for my new
rules (only 2 of them); so a reboot was committed for something else by a
coworker, and then the *auditctl -l* command actually did display updated
rules. This is very confusing, but I thought nothing more about it,
figuring it is a flaw somewhere.
Anyway, today I added an action rule (-a/Syscall Rule) and it too has not
taken effect; not after a *service auditd restart*, not after a *systemctl
restart auditd.service*, just nothing. I also recently read in a community
post, today, that systemctl doesn't handle the restart of auditd very well
(the comment came from you Mr. Grubb).
I cannot reboot the server yet, and quite frankly I don't want to be forced
to reboot the server everytime I add a rule - it's a lab, not production.
Can someone please tell me what I am doing so wrong, with respect to
handling audit configurations on a RHEL-7 system, and tell me how to work
the processes correctly?
Thanks,
--------------------------
Warron French
[-- Attachment #1.2: Type: text/html, Size: 2792 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: RHEL-7 and implementing audit rules
2016-08-23 17:32 RHEL-7 and implementing audit rules warron.french
@ 2016-08-23 17:53 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2016-08-23 17:53 UTC (permalink / raw)
To: linux-audit
On Tuesday, August 23, 2016 1:32:48 PM EDT warron.french wrote:
> In RHEL-6, audit rules were added directly to */etc/audit/audit.rules*, but
> it seems that it is a requirement in RHEL-7 to be placed directly in a file
> (any file?) within
>
> */etc/audit/rules.d/.*
Well, to be honest, you can do that on RHEL6, too. And on RHEL7 you can go
back to the old method. Just copy
/lib/systemd/system/auditd.service to /etc/systemd/system/ and edit the file to
comment out augenrules and uncomment auditctl. On RHEL7 the default config is
changed so that its more "enterprisey". There is also a README-rules file that
gives some tips on using this new rules.d directory.
> I discovered this by doing some man-page reading of the audit.rules file
> after my RHEL-6-variant understanding was turned on its ear. So, I created
> an */etc/audit/rules.d/audit.rules* and added my rules in there.
>
> I ensured that I set "-e 1" because the value wasn't already set. I added
> a watch rules (-w) and it at first didn't take effect; so then realized,
> "*this is RHEL-7, I have to use **systemctl* to restart services."
Actually, auditd is the one thing that cannot use systemd because of dbus
activation. So, the service command is still what you have to use.
> That also didn't work. I tested with auditctl -l and looked for my new
> rules (only 2 of them); so a reboot was committed for something else by a
> coworker, and then the *auditctl -l* command actually did display updated
> rules. This is very confusing, but I thought nothing more about it,
> figuring it is a flaw somewhere.
>
> Anyway, today I added an action rule (-a/Syscall Rule) and it too has not
> taken effect; not after a *service auditd restart*, not after a *systemctl
> restart auditd.service*, just nothing. I also recently read in a community
> post, today, that systemctl doesn't handle the restart of auditd very well
> (the comment came from you Mr. Grubb).
>
> I cannot reboot the server yet, and quite frankly I don't want to be forced
> to reboot the server everytime I add a rule - it's a lab, not production.
Run augenrules --load, you can test prior with augenrules --check
> Can someone please tell me what I am doing so wrong, with respect to
> handling audit configurations on a RHEL-7 system, and tell me how to work
> the processes correctly?
I don't know if there is a problem with systemd not honoring the ExecStartPost
action on a restart, but that kind of sounds like what's happening.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-08-23 17:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-23 17:32 RHEL-7 and implementing audit rules warron.french
2016-08-23 17:53 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.