Description of problem: audit_libs are included in distribution but not audit package itself and it is required by customer for security policy. Customer does not want to be left to select version to load since it could affect support stature. Version-Release number of selected component (if applicable): Noted on 2.0 but also missing from 2.1 How reproducible: N/A Steps to Reproduce: N/A 1. 2. 3. Actual results: Expected results: Additional info:
audit should be included as of RHS-2.1-20130805.n.0
Verified. 'audit' packages are available, 'auditd' is set to run at boot, 'auditd' is running on system, and log file exists. ---------------------------------------------------------------- # cat /etc/redhat-storage-release Red Hat Storage Server 2.1 # rpm -qa | grep audit audit-2.2-2.el6.x86_64 audit-libs-2.2-2.el6.x86_64 audit-libs-python-2.2-2.el6.x86_64 # service auditd status auditd (pid 8753) is running... # chkconfig --list auditd auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off # ps aux | grep audit | grep -v grep root 1248 0.0 0.0 0 0 ? S 05:19 0:00 [kauditd] root 1532 0.0 0.0 27656 888 ? S<sl 05:20 0:00 auditd # ls -l /var/log/audit/audit.log -rw------- 1 root root 174127 Aug 7 08:01 /var/log/audit/audit.log ---------------------------------------------------------------- Basic functional check performed using 'auditctl' and 'ausearch' commands. ---------------------------------------------------------------- # auditctl -w /etc/shadow -p wa -k shadow_change # auditctl -l LIST_RULES: exit,always watch=/etc/shadow perm=wa key=shadow_change # passwd root .... passwd: all authentication tokens updated successfully. # ausearch -k shadow_change ---- time->Wed Aug 7 08:07:29 2013 type=CONFIG_CHANGE msg=audit(1375843049.672:285): auid=0 ses=3 op="add rule" key="shadow_change" list=4 res=1 ---- time->Wed Aug 7 08:07:47 2013 type=PATH msg=audit(1375843067.097:287): item=4 name="/etc/shadow" inode=3670993 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1375843067.097:287): item=3 name="/etc/shadow" inode=3671712 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1375843067.097:287): item=2 name="/etc/nshadow" inode=3670993 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1375843067.097:287): item=1 name="/etc/" inode=3670017 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1375843067.097:287): item=0 name="/etc/" inode=3670017 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1375843067.097:287): cwd="/root" type=SYSCALL msg=audit(1375843067.097:287): arch=c000003e syscall=82 success=yes exit=0 a0=7fa4d9346aa3 a1=7fa4d9346a97 a2=7fa4e0c88ed8 a3=0 items=5 ppid=2978 pid=5175 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="passwd" exe="/usr/bin/passwd" key="shadow_change" ---- time->Wed Aug 7 08:07:47 2013 type=CONFIG_CHANGE msg=audit(1375843067.097:286): auid=0 ses=3 op="updated rules" path="/etc/shadow" key="shadow_change" list=4 res=1 # auditctl -D No rules # auditctl -l No rules ----------------------------------------------------------------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1262.html