Bug 1419388
| Summary: | RFE : Stop journald to capture audit logs when audisp is enabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Akshay Jain <akjain> |
| Component: | systemd | Assignee: | systemd-maint |
| Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.1 | CC: | akjain, kwalker, systemd-maint-list |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-12-11 18:58:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1420851 | ||
|
Description
Akshay Jain
2017-02-06 02:35:58 UTC
> Upstream has a feature to disable systemd-journald-audit.socket for stopping > journald to capture audit logs. > > systemctl mask systemd-journald-audit.socket > > Upstream Bug 1227379 This is not related, journalctl in rhel7 does not read audit messages directly. see https://github.com/lnykryn/systemd-rhel/commit/5dee07f71ccaf8eacd115e01e665c645f7c3a75d I know nothing about audisp but from the configuration it looks, that you are trying get audit messages into the syslog, right? If so, those messages are in journal because journald is the consument of syslog style logging. Rsyslog on rhel7 does not get the messages directly, it reads them through journald. I am currently marking this as CLOSED,WONTFIX. The audisp multiplexer is designed in such a way as to allow it to write to the syslog interface. This is visible in the default configuration below:
# cat /etc/audisp/plugins.d/syslog.conf
# This file controls the configuration of the syslog plugin.
# It simply takes events and writes them to syslog. The
# arguments provided can be the default priority that you
# want the events written with. And optionally, you can give
# a second argument indicating the facility that you want events
# logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
# LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.
active = no
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
The default state is "active = no", and so audit messages will not be seen in the journal. Users who enable this mechanism in the hopes that the messages will be forwarded to rsyslog, and not the journal, should be aware that the mechanism in which the syslog infrastructure is implemented within RHEL 7 is via:
/dev/log -> systemd-journald -> rsyslog(imjournal)
By enabling the syslog plugin for audisp, the messages are sent to /dev/log which is the responsibility of systemd-journald. The simplest method to achieve picking up audit messages with rsyslog, and not systemd-journald, is to configure an "imfile" plugin for the /var/log/audit/audit.log file. Similar to the following:
input(type="imfile" File="/var/log/audit/audit.log" Tag="audit")
Note, with the above, selinux will need to be altered slightly to allow rsyslog to access the file. Such as the addition of the following rules:
module syslog_audit 1.0;
require {
type syslogd_t;
type auditd_log_t;
class dir { getattr search };
class file { getattr ioctl open read };
}
#============= syslogd_t ==============
allow syslogd_t auditd_log_t:dir { getattr search };
allow syslogd_t auditd_log_t:file { getattr ioctl open read };
From there, you should just need to build the policy and install it via the steps outlined in:
Writing Custom SELinux Policy
https://access.redhat.com/solutions/117583
- Kyle Walker
|