Bug 155519 - highlight changes in audit message logging when auditd is enabled, possibly by default
highlight changes in audit message logging when auditd is enabled, possibly b...
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: rhel-selg (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Martin Prpic
: Documentation
Depends On:
Blocks: 149551
  Show dependency treegraph
Reported: 2005-04-20 20:44 EDT by Karsten Wade
Modified: 2012-06-20 11:58 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-20 11:58:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karsten Wade 2005-04-20 20:44:01 EDT
[NOTE - leave bug #149551 as a blocked by this bug, for tracking purposes]

## Description of document bug or feature request:

If auditd is running, and this may be in U1 (unknown to author at this writing),
audit messages _including_ AVC messages are routed by the kernel into
/var/log/audit/audit.log when auditd is alive.  If auditd is uninstalled or
disabled, audit messages are sent to syslog, which puts them in
/var/log/messages and dmesg.

This may be a major issue if auditd is included in an update to RHEL 4 _and_ is
set to run by default.  Keep this bugzilla until that is resolved, and if
necessary highlight the changes in the guide.

## Version-Release number
## This is found on the legalnotice.html page and on this page with
## instructions:

rhel-selg(EN)-4-HTML-RHI (2005-02-15-T16:20)

## Additional information?
Comment 1 Karsten Wade 2005-04-22 21:48:44 EDT
From Stephen Smalley:

"Another change that will need to be highlighted is the impact
of the patch referenced below, which has already been submitted for
inclusion in a RHEL4 update by IBM (U2, I would guess?).  This patch
will require users who want to retain the process-related information
(pid, exe) for an avc message to enable syscall auditing (i.e. boot with
audit=1 or use auditctl -e 1 or appropriate auditd configuration) and
glean it from the subsequent syscall audit record with the same
timestamp/serial rather than directly from the avc message itself.  In
addition to avoiding the deadlock issue which motivated the patch, this
will also avoid improper attribution of certain permission denials (e.g.
denials upon packet receipt like tcp_recv, udp_recv, rawip_recv, and
recv_msg) to an unrelated process, which has confused people in the
past.  And it will allow people to get the comm information, which
although untrustworthy and possibly truncated, is nonetheless helpful in
debugging when scripts are invoked (to see the script name rather than
the interpreter as reported by the exe=).

http://marc.theaimsgroup.com/?l=bk-commits-head&m=111406582218985&w=2 "
Comment 2 Karsten Wade 2005-04-22 21:49:34 EDT
(comments from Steve Grubb)

> But is it also as simple as 'service audit stop' and 'chkconfig audit
> off'?  


> Then the kernel will pass the audit messages to syslog?  


> Are any audit messages dropped or not created when auditd is not running?

Syslog is not guaranteed to catch everything - especially if using remote 
logging. Its rare that two back to back messages will be identical, but 
syslog does compression when messages are the same.
Comment 3 Karsten Wade 2006-03-30 14:14:19 EST
No longer a member of the documentation group, reassgning to group manager to
Comment 4 Michael Hideo 2007-06-06 00:42:01 EDT
Adding 'cc ecs-dev-list@redhat.com for tracking
Comment 5 Michael Hideo 2007-10-22 22:49:07 EDT
Removing automation notification
Comment 6 David O'Brien 2008-01-14 21:00:42 EST
No longer involved in RHEL Deployment Guide. Reassign to Don
Comment 9 John 2008-05-19 14:36:58 EDT
Took over from what I thought was a fresh install.  RHEL 4 WS 64 Bit.  System 
shipped in Dec 07 or Jan 08 from Vendor, preloaded.  I was able to execute 
auditd and auditcntl but out of the box my system has not folder called audit 
in the var/logs directory.  Personally created and placed a audit.rules in 
the /etc but a audit.log file has not been auto generated, do I need to create 
a audit.log file and place it in var/logs/audit/ and expect it to populate via 
the auditd executeable?
Comment 10 Greg Bruce 2008-06-04 17:15:41 EDT
(In reply to comment #9)
Should be able to run: service auditd start, stop, status, restart
Check /etc/auditd.conf, first line is where logs are written to. Make sure
destination file has permissions of 640 set otherwise it will not write to file.

Comment 11 Jiri Pallich 2012-06-20 11:58:21 EDT
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.

Note You need to log in before you can comment on or make changes to this bug.