Linux – Auditd is not logging events for some watched files

centoslinux

We have configured auditd to log all access to certain critical files. The system runs WebLogic Server and we want to know if anyone is trying to poke around sensitive system files, such as the domain configuration file, encryption salt, et cetera. In some cases on some systems in the past, this worked as expected, but recently it has not, and I am at my wits' end trying to figure out why. So I am going against my nature and seeking outside assistance with this issue.

Relevant data points and possible leads I have been investigating:

We recently picked up an updated system image with a new kernel version.
The system image is OEL5 (essentialy RHEL5/CentOS 5)
When I reboot the system, it only loads a minimal ruleset:

    # auditctl -l
    LIST_RULES: exit,always dir=/etc/audit (0xa) perm=wa key=auditsys
    LIST_RULES: exit,always dir=/var/log/audit (0xe) perm=wa key=auditsys

Despite the full rules file still being in place.

When I try to restart the audit daemon (service auditd restart), I get the following error message:

Error sending add rule data request (No such file or directory)
There was an error in line 30 of /etc/audit/audit.rules

which turns out to be because one of the files we have told it to watch does not exist yet. I resolve this by creating the file manually, and repeat for every subsequent error. It seems to me therefore that one cannot have the audit daemon watch a path pre-emptively and report initial creation of a given file.

Can anyone suggest a workaround or alternative solution to this issue?

Best Answer

Two thoughts here:

1) Consider using a -i in your rules file.

"Ignore errors when reading rules from a file. This causes auditctl to always return a success exit code."

This keeps parsing on errors and picks up other rules. Otherwise, you end up with only the rules before the error. Obviously there is downside here, but sometimes it's better to have the correct rules in place regardless.

2) A simple hack to address directories/files that are not around at startup is to restart/reload auditd once the system reaches it's running state.

Related Solutions

Disable SSH Password Login – How to Disable SSH Login with Password for Some Users

Try Match in sshd_config:

Match User user1,user2,user3,user4
    PasswordAuthentication no

Or by group:

Match Group users
    PasswordAuthentication no

Or, as mentioned in the comment, by negation:

Match User !root
    PasswordAuthentication no

Note that match is effective "until either another Match line or the end of the file." (the indentation isn't significant)

Nginx not logging errors to log files

The Nginx syntax is correct here, so the issue has to do with the server environment. Here are some things you can do to debug it.

Simulate what the web server would be doing. Attempt to write to the file using the same user the web server would use. If the web server user is nginx, then try this as root: su -m nginx -c 'echo "testing">>/var/www/example.com/logs/example.com_error.log'
Watch what the web server is doing. As a temporary debugging measure, at the top level of your Nginx config add daemon off. Then stop Nginx and start with it strace nginx | tee nginx-output.txt. It will then run in the foreground and spew all the system calls it makes to STDOUT, which will also be captured in nginx-output.txt. Do Something to trigger the error, and then you can stop Nginx, remove the "daemon" line and start it normally while your review the debugging log. Search in it for mentions of the file name in question. Perhaps you'll find it there, with an error returned from the system call trying to access the file.

Another possibility is that you disagree with Nginx about what should be appearing in the error log. If nginx -V | grep debug gets a result, then you can change the last argument to error_log from error to debug. Reload Nginx and hit a URL that doesn't exist at the domain, this should generate lots of logging. Turn off debug logging when done.

Best Answer

Related Solutions

Disable SSH Password Login – How to Disable SSH Login with Password for Some Users

Nginx not logging errors to log files

Related Topic