Has anybody had any issues with auditd causing a panic upon restart or shutdown? We are using Redhat 5.4 with base auditd. We have diskless clients, thus the /etc and /var are being served from an NFS server. The following rules cause the system to panic when we try to /etc/init.d/auditd restart or just shut the system down. We have hundreds of other Redhat clients with local disks and have not had any problems with these rules until we tried diskless and NFS.
We can comment out the rules listed below and then no problem, but we want to watch /etc and /var. I assume it's something to do with NFS but can't track it down. Any ideas? Thanks. Example of rules entries that are expected to be causing issues: -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 -F auid!=4294967295 -F dir=/etc -k sro -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 -F auid!=4294967295 -F dir=/var -k sro -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=100 -F auid!=4294967295 -F dir=/etc -k sro -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=100 -F auid!=4294967295 -F dir=/var -k sro -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F auid!=4294967295 -F dir=/etc -k sro -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F auid!=4294967295 -F dir=/var -k sro -- Regards, Chad Vaughn [email protected]<mailto:[email protected]>
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
