Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155519 - highlight changes in audit message logging when auditd is enabled, possibly by default
Summary: highlight changes in audit message logging when auditd is enabled, possibly b...
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: rhel-selg
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Martin Prpič
QA Contact: ecs-bugs
Depends On:
Blocks: 149551
TreeView+ depends on / blocked
Reported: 2005-04-21 00:44 UTC by Karsten Wade
Modified: 2012-06-20 15:58 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-06-20 15:58:21 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Karsten Wade 2005-04-21 00:44:01 UTC
[NOTE - leave bug #149551 as a blocked by this bug, for tracking purposes]

## Description of document bug or feature request:

If auditd is running, and this may be in U1 (unknown to author at this writing),
audit messages _including_ AVC messages are routed by the kernel into
/var/log/audit/audit.log when auditd is alive.  If auditd is uninstalled or
disabled, audit messages are sent to syslog, which puts them in
/var/log/messages and dmesg.

This may be a major issue if auditd is included in an update to RHEL 4 _and_ is
set to run by default.  Keep this bugzilla until that is resolved, and if
necessary highlight the changes in the guide.

## Version-Release number
## This is found on the legalnotice.html page and on this page with
## instructions:

rhel-selg(EN)-4-HTML-RHI (2005-02-15-T16:20)

## Additional information?

Comment 1 Karsten Wade 2005-04-23 01:48:44 UTC
From Stephen Smalley:

"Another change that will need to be highlighted is the impact
of the patch referenced below, which has already been submitted for
inclusion in a RHEL4 update by IBM (U2, I would guess?).  This patch
will require users who want to retain the process-related information
(pid, exe) for an avc message to enable syscall auditing (i.e. boot with
audit=1 or use auditctl -e 1 or appropriate auditd configuration) and
glean it from the subsequent syscall audit record with the same
timestamp/serial rather than directly from the avc message itself.  In
addition to avoiding the deadlock issue which motivated the patch, this
will also avoid improper attribution of certain permission denials (e.g.
denials upon packet receipt like tcp_recv, udp_recv, rawip_recv, and
recv_msg) to an unrelated process, which has confused people in the
past.  And it will allow people to get the comm information, which
although untrustworthy and possibly truncated, is nonetheless helpful in
debugging when scripts are invoked (to see the script name rather than
the interpreter as reported by the exe=). "

Comment 2 Karsten Wade 2005-04-23 01:49:34 UTC
(comments from Steve Grubb)

> But is it also as simple as 'service audit stop' and 'chkconfig audit
> off'?  


> Then the kernel will pass the audit messages to syslog?  


> Are any audit messages dropped or not created when auditd is not running?

Syslog is not guaranteed to catch everything - especially if using remote 
logging. Its rare that two back to back messages will be identical, but 
syslog does compression when messages are the same.

Comment 3 Karsten Wade 2006-03-30 19:14:19 UTC
No longer a member of the documentation group, reassgning to group manager to

Comment 4 Michael Hideo 2007-06-06 04:42:01 UTC
Adding 'cc for tracking

Comment 5 Michael Hideo 2007-10-23 02:49:07 UTC
Removing automation notification

Comment 6 David O'Brien 2008-01-15 02:00:42 UTC
No longer involved in RHEL Deployment Guide. Reassign to Don

Comment 9 John 2008-05-19 18:36:58 UTC
Took over from what I thought was a fresh install.  RHEL 4 WS 64 Bit.  System 
shipped in Dec 07 or Jan 08 from Vendor, preloaded.  I was able to execute 
auditd and auditcntl but out of the box my system has not folder called audit 
in the var/logs directory.  Personally created and placed a audit.rules in 
the /etc but a audit.log file has not been auto generated, do I need to create 
a audit.log file and place it in var/logs/audit/ and expect it to populate via 
the auditd executeable?

Comment 10 Greg Bruce 2008-06-04 21:15:41 UTC
(In reply to comment #9)
Should be able to run: service auditd start, stop, status, restart
Check /etc/auditd.conf, first line is where logs are written to. Make sure
destination file has permissions of 640 set otherwise it will not write to file.

Comment 11 Jiri Pallich 2012-06-20 15:58:21 UTC
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.

Note You need to log in before you can comment on or make changes to this bug.