All of lore.kernel.org
 help / color / mirror / Atom feed
* RHEL-7 and implementing audit rules
@ 2016-08-23 17:32 warron.french
  2016-08-23 17:53 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: warron.french @ 2016-08-23 17:32 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1885 bytes --]

Hi, I am back again.

I have some experience and a great deal more comfort with the Linux Audit
configurations nowadays.  I learned an aweful lot by working with CentOS-6;
however, this question is focused purely on RHEL-7.

In RHEL-6, audit rules were added directly to */etc/audit/audit.rules*, but
it seems that it is a requirement in RHEL-7 to be placed directly in a file
(any file?) within

*/etc/audit/rules.d/.*
I discovered this by doing some man-page reading of the audit.rules file
after my RHEL-6-variant understanding was turned on its ear.  So, I created
an */etc/audit/rules.d/audit.rules* and added my rules in there.

I ensured that I set "-e 1" because the value wasn't already set.  I added
a watch rules (-w) and it at first didn't take effect; so then realized, "*this
is RHEL-7, I have to use **systemctl* to restart services."

That also didn't work.  I tested with auditctl -l and looked for my new
rules (only 2 of them); so a reboot was committed for something else by a
coworker, and then the *auditctl -l* command actually did display updated
rules.  This is very confusing, but I thought nothing more about it,
figuring it is a flaw somewhere.

Anyway, today I added an action rule (-a/Syscall Rule) and it too has not
taken effect; not after a *service auditd restart*, not after a *systemctl
restart auditd.service*, just nothing.  I also recently read in a community
post, today, that systemctl doesn't handle the restart of auditd very well
(the comment came from you Mr. Grubb).

I cannot reboot the server yet, and quite frankly I don't want to be forced
to reboot the server everytime I add a rule - it's a lab, not production.

Can someone please tell me what I am doing so wrong, with respect to
handling audit configurations on a RHEL-7 system, and tell me how to work
the processes correctly?

Thanks,


--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 2792 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: RHEL-7 and implementing audit rules
  2016-08-23 17:32 RHEL-7 and implementing audit rules warron.french
@ 2016-08-23 17:53 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2016-08-23 17:53 UTC (permalink / raw)
  To: linux-audit

On Tuesday, August 23, 2016 1:32:48 PM EDT warron.french wrote:
> In RHEL-6, audit rules were added directly to */etc/audit/audit.rules*, but
> it seems that it is a requirement in RHEL-7 to be placed directly in a file
> (any file?) within
> 
> */etc/audit/rules.d/.*

Well, to be honest, you can do that on RHEL6, too. And on RHEL7 you can go 
back to the old method. Just copy
/lib/systemd/system/auditd.service to /etc/systemd/system/ and edit the file to 
comment out augenrules and uncomment auditctl. On RHEL7 the default config is 
changed so that its more "enterprisey". There is also a README-rules file that 
gives some tips on using this new rules.d directory.


> I discovered this by doing some man-page reading of the audit.rules file
> after my RHEL-6-variant understanding was turned on its ear.  So, I created
> an */etc/audit/rules.d/audit.rules* and added my rules in there.
> 
> I ensured that I set "-e 1" because the value wasn't already set.  I added
> a watch rules (-w) and it at first didn't take effect; so then realized,
> "*this is RHEL-7, I have to use **systemctl* to restart services."

Actually, auditd is the one thing that cannot use systemd because of dbus 
activation. So, the service command is still what you have to use.
 
> That also didn't work.  I tested with auditctl -l and looked for my new
> rules (only 2 of them); so a reboot was committed for something else by a
> coworker, and then the *auditctl -l* command actually did display updated
> rules.  This is very confusing, but I thought nothing more about it,
> figuring it is a flaw somewhere.
> 
> Anyway, today I added an action rule (-a/Syscall Rule) and it too has not
> taken effect; not after a *service auditd restart*, not after a *systemctl
> restart auditd.service*, just nothing.  I also recently read in a community
> post, today, that systemctl doesn't handle the restart of auditd very well
> (the comment came from you Mr. Grubb).
> 
> I cannot reboot the server yet, and quite frankly I don't want to be forced
> to reboot the server everytime I add a rule - it's a lab, not production.

Run augenrules --load, you can test prior with augenrules --check

> Can someone please tell me what I am doing so wrong, with respect to
> handling audit configurations on a RHEL-7 system, and tell me how to work
> the processes correctly?

I don't know if there is a problem with systemd not honoring the ExecStartPost 
action on a restart, but that kind of sounds like what's happening.

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-08-23 17:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-23 17:32 RHEL-7 and implementing audit rules warron.french
2016-08-23 17:53 ` Steve Grubb

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.