Hide Forgot
Description of problem: augenrules includes files ending in regexp "rules" into auditd rules. Version-Release number of selected component (if applicable): audit-2.4.1-5.el7 How reproducible: Always Steps to Reproduce: 1] Create audit rule file named "/etc/audit/rules.d/mkrules" 2] Restart auditd daemon Actual results: Rules defined in non regexp ".rules" file gets loaded Expected results: Rules defined in non regexp ".rules" files should not be loaded Additional info: augenrules man page states: Component audit rule files, must end in .rules in order to be processed. All other files in /etc/audit/rules.d are ignored. example:- ]# cat /etc/audit/rules.d/mkrules -w /etc/hosts -p a -k monitor-hosts ]# service auditd restart Stopping logging: [ OK ] Redirecting start to /bin/systemctl start auditd.service [root@dhcp9-127 ~]# auditctl -l -w /etc/hosts -p a -k monitor-hosts
Fixed in upstream commit 1414.
audit-2.7.4-1.el7 was built to resolve this issue.
Successfully reproduced and verified on all supported architectures. OLD (audit-2.6.5-3.el7_3.1) =========================== :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Loading only *.rules files (BZ#1414812) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'rm -rf /etc/audit/rules.d/*' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testA -p a -k testA' >/etc/audit/rules.d/test' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testB -p a -k testB' >/etc/audit/rules.d/rules' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testC -p a -k testC' >/etc/audit/rules.d/.rules' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testD -p a -k testD' >/etc/audit/rules.d/rules.test' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testE -p a -k testE' >/etc/audit/rules.d/test.rule' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testF -p a -k testF' >/etc/audit/rules.d/test.rules.test' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testG -p a -k testG' >/etc/audit/rules.d/test.rules.' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testH -p a -k testH' >/etc/audit/rules.d/testrules' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testI -p a -k testI' >/etc/audit/rules.d/test.rules' (Expected 0, got 0) :: [ PASS ] :: Command 'service auditd restart && sleep 5' (Expected 0, got 0) :: [ PASS ] :: Command 'auditctl -l | grep testA' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testB' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testC' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testD' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testE' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testF' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testG' (Expected 1, got 1) :: [ FAIL ] :: Command 'auditctl -l | grep testH' (Expected 1, got 0) :: [ PASS ] :: Command 'auditctl -l | grep testI' (Expected 0, got 0) :: [ LOG ] :: Duration: 8s :: [ LOG ] :: Assertions: 19 good, 1 bad :: [ FAIL ] :: RESULT: Loading only *.rules files (BZ#1414812) NEW (audit-2.7.6-1.el7) ======================= :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Loading only *.rules files (BZ#1414812) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'rm -rf /etc/audit/rules.d/*' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testA -p a -k testA' >/etc/audit/rules.d/test' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testB -p a -k testB' >/etc/audit/rules.d/rules' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testC -p a -k testC' >/etc/audit/rules.d/.rules' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testD -p a -k testD' >/etc/audit/rules.d/rules.test' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testE -p a -k testE' >/etc/audit/rules.d/test.rule' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testF -p a -k testF' >/etc/audit/rules.d/test.rules.test' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testG -p a -k testG' >/etc/audit/rules.d/test.rules.' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testH -p a -k testH' >/etc/audit/rules.d/testrules' (Expected 0, got 0) :: [ PASS ] :: Command 'echo '-w /tmp/testI -p a -k testI' >/etc/audit/rules.d/test.rules' (Expected 0, got 0) :: [ PASS ] :: Command 'service auditd restart && sleep 5' (Expected 0, got 0) :: [ PASS ] :: Command 'auditctl -l | grep testA' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testB' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testC' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testD' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testE' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testF' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testG' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testH' (Expected 1, got 1) :: [ PASS ] :: Command 'auditctl -l | grep testI' (Expected 0, got 0) :: [ LOG ] :: Duration: 8s :: [ LOG ] :: Assertions: 20 good, 0 bad :: [ PASS ] :: RESULT: Loading only *.rules files (BZ#1414812) For more details please see TJ#1827021.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2008