Regarding Auditing on RHEL 7.1

[Sarthak Jain]

Hi Steve,

Thanks for explaining the thing properly. I think I misinterpreted the meaning of "CONFIG_CHANGE" and I understood.

The problem which I was asking was something different. I actually have already started a different thread for that.

Thanks.

-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com] 
Sent: Friday, February 26, 2016 1:22 AM
To: linux-audit at redhat.com
Cc: Sarthak Jain <Sarthak.Jain at microfocus.com>
Subject: Re: Regarding Auditing on RHEL 7.1

On Wednesday, February 24, 2016 07:04:08 AM Sarthak Jain wrote:
> I am Sarthak Jain working in MicroFocus. I want your small help to 
> clarify one of my doubt regarding the kernel auditing on RHEL 7.1. I 
> hope you are the right person to contact. It will just 2 min (max :P) 
> to go through the problem.
> 
> Assumption: Ideally, if we change the configuration file (for ex- 
> /etc/hosts), we should be getting audit events for it.
> 
> Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). 
> If we modify this file, then audit events are coming as attached in 
> file - 'file1.txt'.
> 
> Problem: Let say if we change the permissions of the '/etc/hosts' to 
> (rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" 
> event at all.

That is because the audit configuration has not changed. Config change events are specific to changes in the audit system itself. What you get on this is syscall event with a path

If you want to get events on changing permissions on a file, then you would put a rule like this:

-a always,exit -F path=/etc/hosts -F perms=a -F key=permission-change

After modifying the file with chmod, then run:

ausearch --start today -k permission-change


> I have attached the file - 'file2.txt' for your reference. Can you 
> please clarify this ? Is it a kernel level bug?

No. Its doing what it should.

-Steve