1419388 – RFE : Stop journald to capture audit logs when audisp is enabled

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1419388 - RFE : Stop journald to capture audit logs when audisp is enabled

Summary: RFE : Stop journald to capture audit logs when audisp is enabled

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	systemd
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	systemd-maint
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1420851
TreeView+	depends on / blocked

Reported:	2017-02-06 02:35 UTC by Akshay Jain
Modified:	2022-03-13 14:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-12-11 18:58:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Akshay Jain 2017-02-06 02:35:58 UTC

Description of problem: audit logs are captured in journald when audisp is enabled


Version-Release number of selected component (if applicable):
systemd-219-30.el7_3.6.x86_64


How reproducible:
reproducible anytime

Steps to Reproduce:
1. Enable audisp by setting active=yes parameter in below conf file.

# grep -v "^#" /etc/audisp/plugins.d/syslog.conf 

active = yes
direction = out
path = builtin_syslog
type = builtin 
args = LOG_SYSLOG
format = string

2. Restart auditd service

#service auditd restart


3. Run journalctl command to find audit logs in journald

# journalctl

Actual results: Audit Logs captured in journald

Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com systemd[1]: Starting Session 427 of user root.
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=USER_LOGIN msg=audit(1486346518.190:31133): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=10.76.0.255 addr=10.76.0.255 terminal=/dev/pts/1 res=success'
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=USER_START msg=audit(1486346518.190:31134): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=10.76.0.255 addr=10.76.0.255 terminal=/dev/pts/1 res=success'
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=CRYPTO_KEY_USER msg=audit(1486346518.190:31135): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=01:cb:f3:7d:1c:59:81:88:45:bf:a7:c1:95:19:82:f4 direction=? spid=21722 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.76.0.255 terminal=pts/1 res=success'
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=CRYPTO_KEY_USER msg=audit(1486346518.191:31136): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=f9:d7:72:8b:48:41:25:f3:f0:f4:a3:7a:e7:93:ad:6a direction=? spid=21722 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.76.0.255 terminal=pts/1 res=success'
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=CRYPTO_KEY_USER msg=audit(1486346518.191:31137): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=b9:d3:54:73:f6:fc:43:e3:c3:66:b5:25:92:b9:b8:28 direction=? spid=21722 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.76.0.255 terminal=pts/1 res=success'
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=CRED_REFR msg=audit(1486346518.191:31138): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/sbin/sshd" hostname=10.76.0.255 addr=10.76.0.255 terminal=ssh res=success'



Expected results:

No audit logs in journald 

Additional info:
Upstream has a feature to disable systemd-journald-audit.socket for stopping  journald to capture audit logs.

systemctl mask systemd-journald-audit.socket

Upstream Bug 1227379

Comment 1 Lukáš Nykrýn 2017-02-06 09:35:52 UTC

> Upstream has a feature to disable systemd-journald-audit.socket for stopping
> journald to capture audit logs.
> 
> systemctl mask systemd-journald-audit.socket
> 
> Upstream Bug 1227379

This is not related, journalctl in rhel7 does not read audit messages directly.
see https://github.com/lnykryn/systemd-rhel/commit/5dee07f71ccaf8eacd115e01e665c645f7c3a75d

I know nothing about audisp but from the configuration it looks, that you are trying get audit messages into the syslog, right?

If so, those messages are in journal because journald is the consument of syslog style logging. Rsyslog on rhel7 does not get the messages directly, it reads them through journald.

Comment 11 Kyle Walker 2018-12-11 18:58:42 UTC

I am currently marking this as CLOSED,WONTFIX. The audisp multiplexer is designed in such a way as to allow it to write to the syslog interface. This is visible in the default configuration below:

    # cat /etc/audisp/plugins.d/syslog.conf
    # This file controls the configuration of the syslog plugin.
    # It simply takes events and writes them to syslog. The
    # arguments provided can be the default priority that you
    # want the events written with. And optionally, you can give
    # a second argument indicating the facility that you want events
    # logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
    # LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.

    active = no
    direction = out
    path = builtin_syslog
    type = builtin
    args = LOG_INFO
    format = string


The default state is "active = no", and so audit messages will not be seen in the journal. Users who enable this mechanism in the hopes that the messages will be forwarded to rsyslog, and not the journal, should be aware that the mechanism in which the syslog infrastructure is implemented within RHEL 7 is via:

    /dev/log -> systemd-journald -> rsyslog(imjournal)


By enabling the syslog plugin for audisp, the messages are sent to /dev/log which is the responsibility of systemd-journald. The simplest method to achieve picking up audit messages with rsyslog, and not systemd-journald, is to configure an "imfile" plugin for the /var/log/audit/audit.log file. Similar to the following:

    input(type="imfile" File="/var/log/audit/audit.log" Tag="audit")


Note, with the above, selinux will need to be altered slightly to allow rsyslog to access the file. Such as the addition of the following rules:

    module syslog_audit 1.0;

    require {
	    type syslogd_t;
	    type auditd_log_t;
	    class dir { getattr search };
	    class file { getattr ioctl open read };
    }

    #============= syslogd_t ==============
    allow syslogd_t auditd_log_t:dir { getattr search };
    allow syslogd_t auditd_log_t:file { getattr ioctl open read };


From there, you should just need to build the policy and install it via the steps outlined in:

    Writing Custom SELinux Policy
    https://access.redhat.com/solutions/117583

- Kyle Walker

Note You need to log in before you can comment on or make changes to this bug.