Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-80363

Audit rules are not listed as configured.

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-9.5
    • audit
    • None
    • rhel-security-special-projects
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Additional syscall are appended to audit rules with audit version >= audit-3.1.5.el9

       

      
[root@rhel9 ~]# auditctl -a always,exit -F arch=b64 -S creat -F path=/etc/ssh/sshd_config -F perm=wa

[root@rhel9 ~]# auditctl -l
-a always,exit -F arch=b64 -S open,bind,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,chmod,fchmod,chown,fchown,lchown,mknod,acct,swapon,quotactl,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,openat,mkdirat,mknodat,fchownat,unlinkat,renameat,linkat,symlinkat,fchmodat,fallocate,renameat2,openat2 -F path=/etc/ssh/sshd_config -F perm=wa

       

       

      Is this an intentional change or a bug? 

      Looks like the following commit has something to do with this

      https://github.com/linux-audit/audit-userspace/commit/31d079ce32266aa0c8fe08061d8c7f30adb6fe91#diff-de293ef11852330d016a59e9621796f69fef761076c1f4560c3ddbb2b91059ca

              rh-ee-alakatos Attila Lakatos
              rhn-support-adibrahi Adam Ibrahim Ahmat
              Sergio Correia Sergio Correia
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: