Bug 1419388 - RFE : Stop journald to capture audit logs when audisp is enabled
Summary: RFE : Stop journald to capture audit logs when audisp is enabled
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd
Version: 7.1
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: systemd-maint
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 1420851
TreeView+ depends on / blocked
 
Reported: 2017-02-06 02:35 UTC by Akshay Jain
Modified: 2019-09-23 01:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-11 18:58:42 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Akshay Jain 2017-02-06 02:35:58 UTC
Description of problem: audit logs are captured in journald when audisp is enabled


Version-Release number of selected component (if applicable):
systemd-219-30.el7_3.6.x86_64


How reproducible:
reproducible anytime

Steps to Reproduce:
1. Enable audisp by setting active=yes parameter in below conf file.

# grep -v "^#" /etc/audisp/plugins.d/syslog.conf 

active = yes
direction = out
path = builtin_syslog
type = builtin 
args = LOG_SYSLOG
format = string

2. Restart auditd service

#service auditd restart


3. Run journalctl command to find audit logs in journald

# journalctl

Actual results: Audit Logs captured in journald

Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com systemd[1]: Starting Session 427 of user root.
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=USER_LOGIN msg=audit(1486346518.190:31133): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=10.76.0.255 addr=10.76.0.255 terminal=/dev/pts/1 res=success'
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=USER_START msg=audit(1486346518.190:31134): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=10.76.0.255 addr=10.76.0.255 terminal=/dev/pts/1 res=success'
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=CRYPTO_KEY_USER msg=audit(1486346518.190:31135): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=01:cb:f3:7d:1c:59:81:88:45:bf:a7:c1:95:19:82:f4 direction=? spid=21722 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.76.0.255 terminal=pts/1 res=success'
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=CRYPTO_KEY_USER msg=audit(1486346518.191:31136): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=f9:d7:72:8b:48:41:25:f3:f0:f4:a3:7a:e7:93:ad:6a direction=? spid=21722 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.76.0.255 terminal=pts/1 res=success'
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=CRYPTO_KEY_USER msg=audit(1486346518.191:31137): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=b9:d3:54:73:f6:fc:43:e3:c3:66:b5:25:92:b9:b8:28 direction=? spid=21722 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.76.0.255 terminal=pts/1 res=success'
Feb 06 07:31:58 dhcp7-213.gsslab.pnq.redhat.com audispd[11228]: node=dhcp7-213.gsslab.pnq.redhat.com type=CRED_REFR msg=audit(1486346518.191:31138): pid=21722 uid=0 auid=0 ses=427 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/sbin/sshd" hostname=10.76.0.255 addr=10.76.0.255 terminal=ssh res=success'



Expected results:

No audit logs in journald 

Additional info:
Upstream has a feature to disable systemd-journald-audit.socket for stopping  journald to capture audit logs.

systemctl mask systemd-journald-audit.socket

Upstream Bug 1227379

Comment 1 Lukáš Nykrýn 2017-02-06 09:35:52 UTC
> Upstream has a feature to disable systemd-journald-audit.socket for stopping
> journald to capture audit logs.
> 
> systemctl mask systemd-journald-audit.socket
> 
> Upstream Bug 1227379

This is not related, journalctl in rhel7 does not read audit messages directly.
see https://github.com/lnykryn/systemd-rhel/commit/5dee07f71ccaf8eacd115e01e665c645f7c3a75d

I know nothing about audisp but from the configuration it looks, that you are trying get audit messages into the syslog, right?

If so, those messages are in journal because journald is the consument of syslog style logging. Rsyslog on rhel7 does not get the messages directly, it reads them through journald.

Comment 11 Kyle Walker 2018-12-11 18:58:42 UTC
I am currently marking this as CLOSED,WONTFIX. The audisp multiplexer is designed in such a way as to allow it to write to the syslog interface. This is visible in the default configuration below:

    # cat /etc/audisp/plugins.d/syslog.conf
    # This file controls the configuration of the syslog plugin.
    # It simply takes events and writes them to syslog. The
    # arguments provided can be the default priority that you
    # want the events written with. And optionally, you can give
    # a second argument indicating the facility that you want events
    # logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
    # LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.

    active = no
    direction = out
    path = builtin_syslog
    type = builtin
    args = LOG_INFO
    format = string


The default state is "active = no", and so audit messages will not be seen in the journal. Users who enable this mechanism in the hopes that the messages will be forwarded to rsyslog, and not the journal, should be aware that the mechanism in which the syslog infrastructure is implemented within RHEL 7 is via:

    /dev/log -> systemd-journald -> rsyslog(imjournal)


By enabling the syslog plugin for audisp, the messages are sent to /dev/log which is the responsibility of systemd-journald. The simplest method to achieve picking up audit messages with rsyslog, and not systemd-journald, is to configure an "imfile" plugin for the /var/log/audit/audit.log file. Similar to the following:

    input(type="imfile" File="/var/log/audit/audit.log" Tag="audit")


Note, with the above, selinux will need to be altered slightly to allow rsyslog to access the file. Such as the addition of the following rules:

    module syslog_audit 1.0;

    require {
	    type syslogd_t;
	    type auditd_log_t;
	    class dir { getattr search };
	    class file { getattr ioctl open read };
    }

    #============= syslogd_t ==============
    allow syslogd_t auditd_log_t:dir { getattr search };
    allow syslogd_t auditd_log_t:file { getattr ioctl open read };


From there, you should just need to build the policy and install it via the steps outlined in:

    Writing Custom SELinux Policy
    https://access.redhat.com/solutions/117583

- Kyle Walker


Note You need to log in before you can comment on or make changes to this bug.