Yes, I also have watch rules for files in /etc and those do not seem to be a problem.
Such as: -w /etc/sudoers -p rwxa -k sro -----Original Message----- From: Peter Moody [mailto:[email protected]] Sent: Friday, July 13, 2012 12:47 PM To: Vaughn, Chad M Cc: [email protected] Subject: EXTERNAL: Re: Issues with auditd kernel panic and nfs mounts On Fri, Jul 13, 2012 at 10:35 AM, Vaughn, Chad M <[email protected]> wrote: > Has anybody had any issues with auditd causing a panic upon restart or > shutdown? We are using Redhat 5.4 with base auditd. We have diskless > clients, thus the /etc and /var are being served from an NFS server. > The following rules cause the system to panic when we try to > /etc/init.d/auditd > restart or just shut the system down. We have hundreds of other Redhat > clients with local disks and have not had any problems with these > rules until we tried diskless and NFS. > > > > We can comment out the rules listed below and then no problem, but we > want to watch /etc and /var. I assume it's something to do with NFS > but can't track it down. Any ideas? Thanks. > There was an issue with watch rules. Eric had a patch back in April that I thought was supposed to land upstream for 3.5 but I don't see it on git.kernel.org. I'm not sure if this would be affecting you since I think the -F dir= are tree rules rather than watch rules. Do you have any actual watch rules installed? > > Example of rules entries that are expected to be causing issues: > > > > -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 > -F > auid!=4294967295 -F dir=/etc -k sro > > -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 > -F > auid!=4294967295 -F dir=/var -k sro > > > > -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F > auid>=100 -F auid!=4294967295 -F dir=/etc -k sro > > -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F > auid>=100 -F auid!=4294967295 -F dir=/var -k sro > > > > > > -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S > removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F > auid!=4294967295 -F dir=/etc -k sro > > -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S > removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F > auid!=4294967295 -F dir=/var -k sro > > > > > > -- > > Regards, > > Chad Vaughn > > [email protected] > > > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
