RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1985630 - Shipped /usr/share/audit/sample-rules/ *.rules cannot be used on all supported architectures
Summary: Shipped /usr/share/audit/sample-rules/ *.rules cannot be used on all supporte...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: audit
Version: 9.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: beta
: ---
Assignee: Sergio Correia
QA Contact: Martin Zelený
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-24 13:42 UTC by Jan Pazdziora (Red Hat)
Modified: 2021-12-07 22:08 UTC (History)
5 users (show)

Fixed In Version: audit-3.0.2-3.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-12-07 22:04:56 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)

Description Jan Pazdziora (Red Hat) 2021-07-24 13:42:05 UTC 
Description of problem:

Attempt to use *.rules files from /usr/share/audit/sample-rules/ causes augenrules --load to fail on aarch64.

Version-Release number of selected component (if applicable):

audit-3.0.2-1.el9.aarch64

How reproducible:

Deterministic.

Steps to Reproduce:
1. cd /usr/share/audit/sample-rules/ && cp 10-base-config.rules 11-loginuid.rules 30-ospp*.rules 43-module-load.rules /etc/audit/rules.d/
2. service auditd stop && systemctl start auditd
3. systemctl status auditd
4. augenrules --load

Actual results:

● auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2021-07-24 09:16:31 EDT; 6s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 1111 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 1115 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
   Main PID: 1112 (auditd)
      Tasks: 2 (limit: 7048)
     Memory: 1008.0K
        CPU: 204ms
     CGroup: /system.slice/auditd.service
             └─1112 /sbin/auditd

Jul 24 09:16:31 machine.example.com augenrules[1145]: enabled 1
Jul 24 09:16:31 machine.example.com augenrules[1145]: failure 1
Jul 24 09:16:31 machine.example.com augenrules[1145]: pid 1112
Jul 24 09:16:31 machine.example.com augenrules[1145]: rate_limit 0
Jul 24 09:16:31 machine.example.com augenrules[1145]: backlog_limit 8192
Jul 24 09:16:31 machine.example.com augenrules[1145]: lost 0
Jul 24 09:16:31 machine.example.com augenrules[1145]: backlog 0
Jul 24 09:16:31 machine.example.com augenrules[1145]: backlog_wait_time 60000
Jul 24 09:16:31 machine.example.com augenrules[1145]: backlog_wait_time_actual 0
Jul 24 09:16:31 machine.example.com systemd[1]: Started Security Auditing Service.

/usr/sbin/augenrules: No change
Syscall name unknown: open
There was an error in line 10 of /etc/audit/audit.rules
No rules
enabled 1
failure 1
pid 1112
rate_limit 0
backlog_limit 8192
lost 0
backlog 2
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 1112
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 1112
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0

Expected results:

Process: 1115 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)

No augenrules error.

Additional info:

It is weird that the /usr/lib/systemd/system/auditd.service lists

ExecStartPost=-/sbin/augenrules --load

with that leading - sign. That means that broken .rules configuration is not indicated as auditd.service failure, making the admin think they have the system auditing correctly following what they have in /etc/audit/rules.d/, when in fact the rules did not get reloaded and did not get applied.
Comment 1 Steve Grubb 2021-07-26 15:08:08 UTC 
aarch64 does not have the open syscall. Just delete it from the rules. Will add a note in the rules that it's expected that they need to be fine tuned for the arch they are deployed on.
Comment 2 Jan Pazdziora (Red Hat) 2021-07-26 15:24:16 UTC 
The whole purpose of the change done in bug 1767054 was to ship rules files that can be easily copied or linked and ideally tested by QE without any finetuning needed, definitely not tuning related to even using the rules on given platform (31-privileged.rules is an exception documented in README-rules). The rules files need to be updated to exclude the open lines on aarch64, either in build time or in runtime.
Comment 3 Jan Pazdziora (Red Hat) 2021-07-28 10:23:00 UTC 
On ppc64le with the same Steps to Reproduce, I see

  There was an error in line 7 of /etc/audit/audit.rules

which is line

  -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify

Would you prefer separate bugzilla for ppc64le, or turning this bugzilla into "Shipped /usr/share/audit/sample-rules/ *.rules cannot be used on all supported architectures"?
Comment 5 Sergio Correia 2021-07-28 12:28:11 UTC 
(In reply to Jan Pazdziora from comment #3)

[...]

> Would you prefer separate bugzilla for ppc64le, or turning this bugzilla
> into "Shipped /usr/share/audit/sample-rules/ *.rules cannot be used on all
> supported architectures"?

I don't feel strongly about it, but I like your "Shipped /usr/share/audit/sample-rules/ *.rules cannot be used on all
> supported architectures" suggestion.
Note You need to log in before you can comment on or make changes to this bug.