We have added new audit rules to the configuration file /etc/audit/rules.d/audit.rules as shown below:

 

# vi /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -S clock_settime -k time-change
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale

 

But, these configurations does not reflected.

# auditctl -l
No rules

 

Note: On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.

 

Solution

 

1. The first thing to check here is the rule’s syntax and correct if it is wrong. For example, you can manually run the rule you have configured in the configuration file. You should see the syntax error on the command line when you run the command. For example:

# auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -S clock_settime -k time-change
Syscall name unknown: stime
The audit system is in immutable mode, no rule changes allowed

 

2. Correct the rule argument “-S time” and restart the system. The restart is required to disable the auditd immutable mode.

 

3. Post reboot, all of the audit rule will reflect.

# auditctl -l
-a always,exit -F arch=x86_64 -S adjtimex,settimeofday,time,clock_settime -F key=time-change
-a always,exit -F arch=x86_64 -S sethostname,setdomainname -F key=system-locale

 

If you set the incorrect syntax in /etc/audit/rules.d/audit.rules configuration file, auditd stop the rule registration. So, all of the rules after incorrect syntax line, will not reflect.

 

Esta resposta foi útil? 0 Utilizadores acharam útil (0 Votos)