Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9441: Default audit rules in CentOS 7.3 conflicts with Advanced monitoring

Auditing and Monitoring Service ,  

22 November,17 at 10:59 PM

Problem: Advanced Monitoring is not functioning properly on CentOS v7.3. 

Cause: This is caused by default audit rules that are set up on CentOS v7.3 which will conflict with the directories that DirectAudit monitors.
 

The reason that DirectAudit cannot receive any audit events when the customer edits the file /etc/hosts is because of these conflicting rules:

-w /etc/hosts -p wa -k system-locale
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

This is a limitation of the system auditing architecture that the audit system just sends the event with the key from the first matched rule. So, in this case, the key "system-locale" is sent. However DirectAudit only processes events that have the key "cda_file_monitor_attr" and "cda_file_monitor_write".

Workaround:  

Please follow this procedure (still needs one reboot):

  • run "dacontrol -n"
  • delete the file /etc/audit/audit.rules.prev (if it exists)
  • modify the file /etc/audit/rules.d/audit.rules to remove the line "-e 2"
  • run "/sbin/augenrules"
  • run "auditctl -R /etc/audit.rules"
    Now the auditing system is reverting back to the original state after the next reboot.
    Please to run "dacontrol -m" to enable monitoring.

Resolution: This issue is fixed in Suite 2017.2.

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6041: How to show current license type in use by adclient articleKB-9565: Enable DirectControl and DirectAudit functionalities inside Docker Container articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?