Description of problem: Even when 43-module-load.rules gets deployed to /etc/audit/rules.d, the kernel module loads / unloads do not get audited. Version-Release number of selected component (if applicable): audit-3.0-0.9.20190507gitf58ec40.fc30.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. cp /usr/share/doc/audit/rules/43-module-load.rules /etc/audit/rules.d 2. sed -i 's/RefuseManualStop=yes/## &/' /usr/lib/systemd/system/auditd.service 3. systemctl daemon-reload 4. systemctl restart auditd 5. tail -f /var/log/audit/audit.log & 6. lsmod | grep dm_thin_pool 7. modprobe dm_thin_pool 8. lsmod | grep dm_thin_pool 9. rmmod dm_thin_pool 10. lsmod | grep dm_thin_pool Actual results: # lsmod | grep dm_thin_pool # modprobe dm_thin_pool # lsmod | grep dm_thin_pool dm_thin_pool 86016 0 dm_persistent_data 94208 1 dm_thin_pool dm_bio_prison 20480 1 dm_thin_pool # rmmod dm_thin_pool # lsmod | grep dm_thin_pool Expected results: # lsmod | grep dm_thin_pool # modprobe dm_thin_pool # type=SYSCALL msg=audit(1565260310.645:152): arch=c000003e syscall=175 success=yes exit=0 a0=55fd7f000380 a1=2a1c0 a2=55fd7d4557b6 a3=1 items=0 ppid=5096 pid=5168 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="modprobe" exe="/usr/bin/kmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="module-load"ARCH=x86_64 SYSCALL=init_module AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=KERN_MODULE msg=audit(1565260310.645:152): name="dm_thin_pool" type=PROCTITLE msg=audit(1565260310.645:152): proctitle=6D6F6470726F626500646D5F7468696E5F706F6F6C lsmod | grep dm_thin_pool dm_thin_pool 86016 0 dm_persistent_data 94208 1 dm_thin_pool dm_bio_prison 20480 1 dm_thin_pool # rmmod dm_thin_pool # type=SYSCALL msg=audit(1565260316.122:153): arch=c000003e syscall=176 success=yes exit=0 a0=5628c2763818 a1=800 a2=a a3=7fd36eabbf60 items=0 ppid=5096 pid=5172 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="rmmod" exe="/usr/bin/kmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="module-unload"ARCH=x86_64 SYSCALL=delete_module AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=KERN_MODULE msg=audit(1565260316.122:153): name="dm_thin_pool" type=PROCTITLE msg=audit(1565260316.122:153): proctitle=726D6D6F6400646D5F7468696E5F706F6F6C lsmod | grep dm_thin_pool In other words, I'd expect module-load and module-unload to get audited when the module gets loaded / unloaded. Additional info: The step 2 is needed to make 3 restart auditd.
Booting my rhel 8.1 system installed by the kickstart and running: ausearch --start today -m module --raw | aureport --key --summary Shows 80 modules loaded and 2 removed. It seems to be working.
Well yes, things work on RHEL 8. What needs to be done on Fedora to make auditd audit kernel module loading/unloading like it does on RHEL 8?
Looks like there was typo above, replace -m with -k: ausearch --start today -k module --raw | aureport --key --summary Key Summary Report =========================== total key =========================== 39 module-load 3 modules 2 module-unload It appears to be working on F30.
So I wonder if the problem is that # rpm -qf /etc/audit/rules.d/audit.rules audit-3.0-0.9.20190507gitf58ec40.fc30.x86_64 contains # cat /etc/audit/rules.d/audit.rules ## This set of rules is to suppress the performance effects of the ## audit system. The result is that you only get hardwired events. -D ## This suppresses syscall auditing for all tasks started ## with this rule in effect. Remove it if you need syscall ## auditing. -a task,never The (generated?) /etc/audit/audit.rules then is ## This file is automatically generated from /etc/audit/rules.d -D -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b32 -S delete_module -F key=module-unload -a always,exit -F arch=b64 -S delete_module -F key=module-unload -a task,never and if it really suppresses the syscall auditing, it makes the previous rules not work. On RHEL with audit-3.0-0.13.20190507gitf58ec40.el8.x86_64, the content of the /etc/audit/rules.d/audit.rules file is different: ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## This determine how long to wait in burst of events --backlog_wait_time 60000 ## Set failure mode to syslog -f 1 Which of these are the "correct" contents going forward -- RHEL, or Fedora 30? For the record, on Fedora rawhide, the /etc/audit/rules.d/audit.rules is empty ...
Ah, yes. That old chestnut. Turns out that people on the Fedora Project do not value auditing. So, someone opened a Fesco ticket demanding that auditing be neutered. They prefer speed over logging. See bug 1117953 for details. So, on Fedora if you want to have auditing, you need to delete 10-no-audit.rules and copy in 10-base-config.rules to /etc/audit/rules.d/. I tried my best to explain to Fesco that it is making a mistake. Meanwhile, RHEL doesn't have this kind of attitude because typically everyone has to meet regulatory compliance.
The problem is, the file is called /etc/audit/rules.d/audit.rules, not /etc/audit/rules.d/10-no-audit.rules (or better yet /etc/audit/rules.d/10-no-syscalls-audit.rules), so it's not immediatelly obvious looking at the default state of that /etc/audit/rules.d/ directory that doing something with /etc/audit/rules.d/audit.rules is necessary. What is however even more confusing is, where does the content of that /etc/audit/rules.d/audit.rules file come from? Because on default rpm installation, it is empty: $ docker run --rm registry.fedoraproject.org/fedora:30 bash -c 'dnf install -y /etc/audit/rules.d/audit.rules && ls -la /etc/audit/rules.d/audit.rules' Fedora Modular 30 - x86_64 704 kB/s | 2.7 MB 00:03 Fedora Modular 30 - x86_64 - Updates 1.6 MB/s | 2.4 MB 00:01 Fedora 30 - x86_64 - Updates 3.3 MB/s | 19 MB 00:05 Fedora 30 - x86_64 4.0 MB/s | 70 MB 00:17 Last metadata expiration check: 0:00:01 ago on Tue Aug 13 20:01:59 2019. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: audit x86_64 3.0-0.9.20190507gitf58ec40.fc30 updates 229 k Transaction Summary ================================================================================ Install 1 Package Total download size: 229 k Installed size: 985 k Downloading Packages: audit-3.0-0.9.20190507gitf58ec40.fc30.x86_64.rp 1.2 MB/s | 229 kB 00:00 -------------------------------------------------------------------------------- Total 208 kB/s | 229 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : audit-3.0-0.9.20190507gitf58ec40.fc30.x86_64 1/1 Running scriptlet: audit-3.0-0.9.20190507gitf58ec40.fc30.x86_64 1/1 Verifying : audit-3.0-0.9.20190507gitf58ec40.fc30.x86_64 1/1 Installed: audit-3.0-0.9.20190507gitf58ec40.fc30.x86_64 Complete! -rw-------. 1 root root 0 Aug 13 20:02 /etc/audit/rules.d/audit.rules So what mechanism populates that "-a task,never" that we see on machine (non-container) installations?
It is a copy of 10-no-audit.rules unless it can't find it and then it just does a touch of the file. This happens in the %post install phase.
Ah. So the difference in behaviour in containers vs. outside of containers comes from the tsflags=nodocs and from the fact that /usr/share/doc/audit/ does not exist there. Would it make sense to move the /usr/share/doc/audit/rules content some place where it would exist even when documentation is not desired in the installation? It feels especially wrong to depend on this optional %doc content in %post for setting up the behaviour of the deamon.
OK. That sounds like a good explanation. I'd have to think about moving the files. They have been there for so long everyone is trained to go there for rules. I'm not sure where else to put them if not doc. /usr/share/audit maybe.
Yes, something like /usr/share/audit/template-rules. And there can still be a symlink /usr/share/doc/audit/rules -> /usr/share/audit/template-rules so that any tools and humans who are used to the original location will still be able to find the content.
OK, I'll make a change on F31. It won't be backported. I'll get back with details later.
Upstream commit f515921 now places the audit rules in /usr/share/audit/sample-rules/
FEDORA-2019-43be205355 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-43be205355
FEDORA-2019-4485e41c97 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4485e41c97
audit-3.0-0.15.20191104git1c2f876.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-43be205355
audit-3.0-0.15.20191104git1c2f876.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4485e41c97
audit-3.0-0.15.20191104git1c2f876.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
audit-3.0-0.15.20191104git1c2f876.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.