On Fri, Jul 13, 2012 at 10:52 AM, Vaughn, Chad M <[email protected]> wrote: > Yes, I also have watch rules for files in /etc and those do not seem to be a > problem.
How are you verifying that they're not a problem? Does repeatedly loading and unloading audit rules trigger it? eg, while [ 1 -eq 1 ] ; do /etc/init.d/audtid start && sleep 5 && /etc/init.d/auditd stop ; done usually triggered it within a few minutes > Such as: > > -w /etc/sudoers -p rwxa -k sro > > -----Original Message----- > From: Peter Moody [mailto:[email protected]] > Sent: Friday, July 13, 2012 12:47 PM > To: Vaughn, Chad M > Cc: [email protected] > Subject: EXTERNAL: Re: Issues with auditd kernel panic and nfs mounts > > On Fri, Jul 13, 2012 at 10:35 AM, Vaughn, Chad M <[email protected]> > wrote: >> Has anybody had any issues with auditd causing a panic upon restart or >> shutdown? We are using Redhat 5.4 with base auditd. We have diskless >> clients, thus the /etc and /var are being served from an NFS server. >> The following rules cause the system to panic when we try to >> /etc/init.d/auditd >> restart or just shut the system down. We have hundreds of other Redhat >> clients with local disks and have not had any problems with these >> rules until we tried diskless and NFS. >> >> >> >> We can comment out the rules listed below and then no problem, but we >> want to watch /etc and /var. I assume it's something to do with NFS >> but can't track it down. Any ideas? Thanks. >> > > There was an issue with watch rules. Eric had a patch back in April that I > thought was supposed to land upstream for 3.5 but I don't see it on > git.kernel.org. > > I'm not sure if this would be affecting you since I think the -F dir= are > tree rules rather than watch rules. Do you have any actual watch rules > installed? > >> >> Example of rules entries that are expected to be causing issues: >> >> >> >> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 >> -F >> auid!=4294967295 -F dir=/etc -k sro >> >> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 >> -F >> auid!=4294967295 -F dir=/var -k sro >> >> >> >> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F >> auid>=100 -F auid!=4294967295 -F dir=/etc -k sro >> >> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F >> auid>=100 -F auid!=4294967295 -F dir=/var -k sro >> >> >> >> >> >> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S >> removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F >> auid!=4294967295 -F dir=/etc -k sro >> >> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S >> removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F >> auid!=4294967295 -F dir=/var -k sro >> >> >> >> >> >> -- >> >> Regards, >> >> Chad Vaughn >> >> [email protected] >> >> >> >> >> -- >> Linux-audit mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/linux-audit > > > > -- > Peter Moody Google 1.650.253.7306 > Security Engineer pgp:0xC3410038 -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
