-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhel-9.0.0
-
Major
-
sst_security_special_projects
-
ssg_security
-
False
-
-
If docs needed, set a value
-
-
x86_64
Description of problem:
Audit rules for "-F dir=/proc" fails to load on boot, the rules works if loaded manually later.
This behavior differs from RHEL 7 (the rules for /proc are loaded correctly on boot)
Version-Release number of selected component (if applicable):
audit-3.0.7-101.el9_0.2.x86_64
How reproducible:
Always
Steps to Reproduce:
1. # vi /etc/audit/rules.d/test.rules
-a never,exit -F arch=b32 -F dir=/proc -S fchmodat
2. # reboot
3. # auditctl -l
Actual results:
- auditctl -l
No rules.
Expected results:
- auditctl -l
-a never,exit -F arch=b32 -S fchmodat -F dir=/proc
Additional info:
The list of syscalls is actually quite extensive, the same behavior occurs with any syscall we tested, it does not occur if we use a different "-F dir=" value, this behavior is only present on /proc so far.
Another detail, if we run auditd with -f, we can see below log record on system boot's journal:
auditd[xxx]: type=CONFIG_CHANGE msg=audit(xxxxxxxxxx.xxx:xxx): op=remove_rule dir="/proc" key=(null) list=4 res=1
Juan Gamba
Principal Technical Support Engineer
Red Hat - Support Delivery