Bug 1396737

Summary:	watch rule for directory has no effect
Product:	[Fedora] Fedora	Reporter:	Frank Ansari <mail>
Component:	audit	Assignee:	Steve Grubb <sgrubb>
Status:	CLOSED WORKSFORME	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	25	CC:	sgrubb
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-11-30 19:37:27 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Frank Ansari 2016-11-19 14:05:53 UTC

Description of problem:
-a exit,always -F dir=/etc/ -F perm=wa -F key=etc_change

This rule has no effect on my system. I can add or change files or directories and do not see any logs in /var/log/audit/audit.log.

"aureport -k" shows no new line for key "etc_change".

Version-Release number of selected component (if applicable):
2.6.7

How reproducible:
Edit a file in /etc and check for new entries in audit.log.

Steps to Reproduce:
1.
2.
3.

Actual results:
no lines

Expected results:
Changing files in /etc should bring some output in audit.log

Here the documentation:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Defining_Audit_Rules_and_Controls.html

I also tested the example from this docu:

auditctl -w /etc/selinux/ -p wa -k selinux_changes

and it did not work.

Additional info:
-a exit,always -F path=/etc/bla -F perm=wa -F key=test_change

This example (monitoring a simple file) is working. Whenever I edit the file /etc/bla I find two new lines in audit.log. When I create or remove it I have one new line.

Comment 1 Steve Grubb 2016-11-19 15:45:59 UTC

Here's what I did to check:

auditctl -a exit,always -F dir=/etc -F perm=wa -F key=dir-test
vi /etc/ssh/sshd_config
deleted a comment and saved
ausearch --start recent -k dir --raw | aureport --file --summary

File Summary Report
===========================
total  file
===========================
13  /etc/ssh/
5  /etc/ssh/.sshd_config.swp
5  /etc/ssh/sshd_config
2  /etc/ssh/.sshd_config.swpx
2  /etc/ssh/4913
2  /etc/ssh/sshd_config~
1  (null)

It seems to be working. I also did the following:

# touch /etc/test
# ausearch --start recent -k dir --raw | aureport --file --summary

File Summary Report
===========================
total  file
===========================
1  /etc/
1  /etc/test

# uname -r
4.8.7-200.fc24.x86_64

Try to delete all your rules and then manually enter just the one rule and retest. I suspect its something in the other rules blocking it.

Comment 2 Frank Ansari 2016-11-19 21:27:54 UTC

Ok - I think I got it. I always had this rule active:

# This suppresses syscall auditing for all tasks started
# with this rule in effect.  Remove it if you need syscall
# auditing.
-a task,never

After the removal of this rule it is working.

Only thing I don't understand is why it works for single file even with the above rule active.

Comment 3 Steve Grubb 2016-11-30 19:37:27 UTC

I suspect it has to do with some tasks have an audit flag in the task struct and some don't. Everything run before auditd starts does not get the flag and cannot be audited. The solution is to add audit=1 to the kernel boot prompt.

I'm going to close he bz as there is nothing actionable on my end.