-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-8.10
-
None
-
No
-
Moderate
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
None
-
None
-
- Audit rule for monitoring files under /usr/lib/modules/ should successfully load during service start.
-
None
-
None
-
-
x86_64
-
None
What were you trying to do that didn't work?
- Loading an audit rule monitoring a file like /usr/lib/modules/testdir/testfile fails during service start.
h3. What is the impact of this issue to you?
- Audit rules not loaded at audit service start
h3. Please provide the package NVR for which the bug is seen:
audit-3.1.2-1.el8.x86_64
How reproducible is this bug?:
Always
Steps to reproduce
- mkdir /usr/lib/modules/testdir/
# touch /usr/lib/modules/testdir/testfile
# auditctl -D
# echo "-a always,exit -F path=/usr/lib/modules/testdir/testfile -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" > /etc/audit/rules.d/protectedpath.rules
- service auditd restart
- systemctl status auditd
- tail /var/log/messages
- auditctl -l
- auditctl -R /etc/audit/audit.rules
- auditctl -l
Expected results
Rules (and following ones) added without error during service start
Actual results
Error, no rule loaded after the one looking for /usr/lib/modules/<dir>/<file>
Sep 16 10:02:56 rhel8.10 auditd[37713]: Init complete, auditd 3.1.2 listening for events (startup state enable)
Sep 16 10:02:56 rhel8.10 augenrules[37732]: Error sending add rule data request (No such file or directory)
{{If I reload the rules with `auditctl -R /etc/audit/audit.rules` or `/sbin/augenrules --load`, it works.
}}
The issue is due to the options:
ProtectKernelModules=true
{{of the service in /usr/lib/systemd/system/auditd.service making the files in /usr/lib/modules not accessible.
}}
