On Fri, Jul 13, 2012 at 10:35 AM, Vaughn, Chad M <[email protected]> wrote: > Has anybody had any issues with auditd causing a panic upon restart or > shutdown? We are using Redhat 5.4 with base auditd. We have diskless > clients, thus the /etc and /var are being served from an NFS server. The > following rules cause the system to panic when we try to /etc/init.d/auditd > restart or just shut the system down. We have hundreds of other Redhat > clients with local disks and have not had any problems with these rules > until we tried diskless and NFS. > > > > We can comment out the rules listed below and then no problem, but we want > to watch /etc and /var. I assume it’s something to do with NFS but can’t > track it down. Any ideas? Thanks. >
There was an issue with watch rules. Eric had a patch back in April that I thought was supposed to land upstream for 3.5 but I don't see it on git.kernel.org. I'm not sure if this would be affecting you since I think the -F dir= are tree rules rather than watch rules. Do you have any actual watch rules installed? > > Example of rules entries that are expected to be causing issues: > > > > -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 -F > auid!=4294967295 -F dir=/etc -k sro > > -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 -F > auid!=4294967295 -F dir=/var -k sro > > > > -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F > auid>=100 -F auid!=4294967295 -F dir=/etc -k sro > > -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F > auid>=100 -F auid!=4294967295 -F dir=/var -k sro > > > > > > -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S > removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F auid!=4294967295 > -F dir=/etc -k sro > > -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S > removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F auid!=4294967295 > -F dir=/var -k sro > > > > > > -- > > Regards, > > Chad Vaughn > > [email protected] > > > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
