Bug 1985630
| Summary: | Shipped /usr/share/audit/sample-rules/ *.rules cannot be used on all supported architectures | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | audit | Assignee: | Sergio Correia <scorreia> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Zelený <mzeleny> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | jjaburek, jpazdziora, mzeleny, scorreia, sgrubb |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | audit-3.0.2-3.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-12-07 22:04:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
aarch64 does not have the open syscall. Just delete it from the rules. Will add a note in the rules that it's expected that they need to be fine tuned for the arch they are deployed on. The whole purpose of the change done in bug 1767054 was to ship rules files that can be easily copied or linked and ideally tested by QE without any finetuning needed, definitely not tuning related to even using the rules on given platform (31-privileged.rules is an exception documented in README-rules). The rules files need to be updated to exclude the open lines on aarch64, either in build time or in runtime. On ppc64le with the same Steps to Reproduce, I see There was an error in line 7 of /etc/audit/audit.rules which is line -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify Would you prefer separate bugzilla for ppc64le, or turning this bugzilla into "Shipped /usr/share/audit/sample-rules/ *.rules cannot be used on all supported architectures"? (In reply to Jan Pazdziora from comment #3) [...] > Would you prefer separate bugzilla for ppc64le, or turning this bugzilla > into "Shipped /usr/share/audit/sample-rules/ *.rules cannot be used on all > supported architectures"? I don't feel strongly about it, but I like your "Shipped /usr/share/audit/sample-rules/ *.rules cannot be used on all > supported architectures" suggestion. |
Description of problem: Attempt to use *.rules files from /usr/share/audit/sample-rules/ causes augenrules --load to fail on aarch64. Version-Release number of selected component (if applicable): audit-3.0.2-1.el9.aarch64 How reproducible: Deterministic. Steps to Reproduce: 1. cd /usr/share/audit/sample-rules/ && cp 10-base-config.rules 11-loginuid.rules 30-ospp*.rules 43-module-load.rules /etc/audit/rules.d/ 2. service auditd stop && systemctl start auditd 3. systemctl status auditd 4. augenrules --load Actual results: ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2021-07-24 09:16:31 EDT; 6s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 1111 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Process: 1115 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) Main PID: 1112 (auditd) Tasks: 2 (limit: 7048) Memory: 1008.0K CPU: 204ms CGroup: /system.slice/auditd.service └─1112 /sbin/auditd Jul 24 09:16:31 machine.example.com augenrules[1145]: enabled 1 Jul 24 09:16:31 machine.example.com augenrules[1145]: failure 1 Jul 24 09:16:31 machine.example.com augenrules[1145]: pid 1112 Jul 24 09:16:31 machine.example.com augenrules[1145]: rate_limit 0 Jul 24 09:16:31 machine.example.com augenrules[1145]: backlog_limit 8192 Jul 24 09:16:31 machine.example.com augenrules[1145]: lost 0 Jul 24 09:16:31 machine.example.com augenrules[1145]: backlog 0 Jul 24 09:16:31 machine.example.com augenrules[1145]: backlog_wait_time 60000 Jul 24 09:16:31 machine.example.com augenrules[1145]: backlog_wait_time_actual 0 Jul 24 09:16:31 machine.example.com systemd[1]: Started Security Auditing Service. /usr/sbin/augenrules: No change Syscall name unknown: open There was an error in line 10 of /etc/audit/audit.rules No rules enabled 1 failure 1 pid 1112 rate_limit 0 backlog_limit 8192 lost 0 backlog 2 backlog_wait_time 60000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 1112 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 backlog_wait_time 60000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 1112 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 backlog_wait_time 60000 backlog_wait_time_actual 0 Expected results: Process: 1115 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) No augenrules error. Additional info: It is weird that the /usr/lib/systemd/system/auditd.service lists ExecStartPost=-/sbin/augenrules --load with that leading - sign. That means that broken .rules configuration is not indicated as auditd.service failure, making the admin think they have the system auditing correctly following what they have in /etc/audit/rules.d/, when in fact the rules did not get reloaded and did not get applied.