Bug 983711
Summary: | Include audit package included in distribution | ||
---|---|---|---|
Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Bob Buckley <bbuckley> |
Component: | distribution | Assignee: | Anthony Towns <atowns> |
Status: | CLOSED ERRATA | QA Contact: | Rejy M Cyriac <rcyriac> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | flanagan, rcyriac, rhs-bugs, shaines, surs |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-23 22:32:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bob Buckley
2013-07-11 18:27:49 UTC
audit should be included as of RHS-2.1-20130805.n.0 Verified. 'audit' packages are available, 'auditd' is set to run at boot, 'auditd' is running on system, and log file exists. ---------------------------------------------------------------- # cat /etc/redhat-storage-release Red Hat Storage Server 2.1 # rpm -qa | grep audit audit-2.2-2.el6.x86_64 audit-libs-2.2-2.el6.x86_64 audit-libs-python-2.2-2.el6.x86_64 # service auditd status auditd (pid 8753) is running... # chkconfig --list auditd auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off # ps aux | grep audit | grep -v grep root 1248 0.0 0.0 0 0 ? S 05:19 0:00 [kauditd] root 1532 0.0 0.0 27656 888 ? S<sl 05:20 0:00 auditd # ls -l /var/log/audit/audit.log -rw------- 1 root root 174127 Aug 7 08:01 /var/log/audit/audit.log ---------------------------------------------------------------- Basic functional check performed using 'auditctl' and 'ausearch' commands. ---------------------------------------------------------------- # auditctl -w /etc/shadow -p wa -k shadow_change # auditctl -l LIST_RULES: exit,always watch=/etc/shadow perm=wa key=shadow_change # passwd root .... passwd: all authentication tokens updated successfully. # ausearch -k shadow_change ---- time->Wed Aug 7 08:07:29 2013 type=CONFIG_CHANGE msg=audit(1375843049.672:285): auid=0 ses=3 op="add rule" key="shadow_change" list=4 res=1 ---- time->Wed Aug 7 08:07:47 2013 type=PATH msg=audit(1375843067.097:287): item=4 name="/etc/shadow" inode=3670993 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1375843067.097:287): item=3 name="/etc/shadow" inode=3671712 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1375843067.097:287): item=2 name="/etc/nshadow" inode=3670993 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1375843067.097:287): item=1 name="/etc/" inode=3670017 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1375843067.097:287): item=0 name="/etc/" inode=3670017 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1375843067.097:287): cwd="/root" type=SYSCALL msg=audit(1375843067.097:287): arch=c000003e syscall=82 success=yes exit=0 a0=7fa4d9346aa3 a1=7fa4d9346a97 a2=7fa4e0c88ed8 a3=0 items=5 ppid=2978 pid=5175 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="passwd" exe="/usr/bin/passwd" key="shadow_change" ---- time->Wed Aug 7 08:07:47 2013 type=CONFIG_CHANGE msg=audit(1375843067.097:286): auid=0 ses=3 op="updated rules" path="/etc/shadow" key="shadow_change" list=4 res=1 # auditctl -D No rules # auditctl -l No rules ---------------------------------------------------------------- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1262.html |