Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-40110

augenrules exits with 1 when audit is in immutable mode

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.5
    • rhel-9.4
    • audit
    • audit-3.1.5-1.el9
    • None
    • None
    • 2
    • rhel-sst-security-special-projects
    • ssg_security
    • 26
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • SECENGSP Cycle 6, SECENGSP Cycle 7
    • Bug Fix
    • Hide
      .Audit in the immutable mode no longer prevents `auditd` from starting

      Previously, if the Audit system was set to the immutable mode by adding the `-e 2` rule, the `augenrules` command exited with a return code of 1 instead of 0 when restarting the `auditd` service or running the `augenrules --load` command. Consequently, the system interprets the return code of 1 as an error, and this prevents it from starting `auditd` at boot. With this update, `augenrules` exits with a zero return code when Audit is set to the immutable mode, and the system can correctly start `auditd` in this scenario.
      Show
      .Audit in the immutable mode no longer prevents `auditd` from starting Previously, if the Audit system was set to the immutable mode by adding the `-e 2` rule, the `augenrules` command exited with a return code of 1 instead of 0 when restarting the `auditd` service or running the `augenrules --load` command. Consequently, the system interprets the return code of 1 as an error, and this prevents it from starting `auditd` at boot. With this update, `augenrules` exits with a zero return code when Audit is set to the immutable mode, and the system can correctly start `auditd` in this scenario.
    • Done
    • x86_64
    • None

      The augenrules command exits with 1 whenever the audit system has been set to immutable mode via "-e 2". Up until RHEL 9.3 (audit-3.0.7-104.el9.x86_64) it used to exit with 0.

      Steps to reproduce

      1. Set audit in immutable mode by adding "-e 2" as an audit rule.
      2. # service auditd restart
      3. Either restart auditd again or run "augenrules --load"

      Expected results

      augenrules should exit with 0 instead of 1, as with previous versions.

      Actual results

      augenrules exits with 1, which is considered an error.

       

      This seems to be related to this upstream bug report where it was fixed. If the upstream augenrules script is used, it exits normally:

      [root@r94 sbin]# auditctl -s|grep enabled
enabled 2
[root@r94 sbin]# augenrules --load
/usr/sbin/augenrules: No change
[root@r94 sbin]# echo $?
1
[root@r94 sbin]# ./augenrules.upstream --load
./augenrules.upstream: No change
./augenrules.upstream: Audit system is in immutable mode - exiting with no changes
[root@r94 sbin]# echo $?
0
[root@r94 sbin]# 

              rh-ee-alakatos Attila Lakatos
              rhn-support-jsantos Juan Santos
              Sergio Correia Sergio Correia
              Natália Bubáková Natália Bubáková
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: