audit rule problem
LC Bruzenak
lenny at magitekltd.com
Wed Nov 15 17:06:31 UTC 2017
On 11/14/2017 05:38 PM, LC Bruzenak wrote:
> System:
> Linux audit 2.6.32-696.3.2.el6.x86_64 #1 SMP Wed Jun 7 11:51:39 EDT
> 2017 x86_64 x86_64 x86_64 GNU/Linux
> userspace audit-2.4.5-3
> Red Hat Enterprise Linux Client release 6.9 (Santiago)
>
> I changed this line in /etc/audit/audit.rules from:
> -a exit,always -F arch=b64 -S mount -S umount2 -k mount
> to this:
> -a exit,always -F arch=b64 -S mount -S umount2 -F
> subj_type!=nothing_t -k mount
>
> Reloaded my rules, and now doing (as root):
> # umount /boot; mount /boot
>
> no longer produces audit events. I did this because on another system
> (mls policy, with lots of custom types) I lost the events once I
> included some custom types installed and operational on the system, so
> I was just trying to reduce this to a reproducible case. I can almost
> see that a non-existent type might fail, but it maybe should fail to
> load.?.
Ugh.
Looks like the entire problem was a non-existent subject type; I had a
typo in the mls policy case.
So the rules accept a type which does not exist, does not warn, and then
fails to report all events.
That's my story and I'm sticking to it...
Thx,
LCB
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3805 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171115/e81cd5f1/attachment.p7s>
More information about the Linux-audit
mailing list