Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9441: Default audit rules in CentOS 7.3 conflicts with Advanced monitoring

Auditing and Monitoring Service ,  

22 November,17 at 10:59 PM

Problem: Advanced Monitoring is not functioning properly on CentOS v7.3. 

Cause: This is caused by default audit rules that are set up on CentOS v7.3 which will conflict with the directories that DirectAudit monitors.
 

The reason that DirectAudit cannot receive any audit events when the customer edits the file /etc/hosts is because of these conflicting rules:

-w /etc/hosts -p wa -k system-locale
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

This is a limitation of the system auditing architecture that the audit system just sends the event with the key from the first matched rule. So, in this case, the key "system-locale" is sent. However DirectAudit only processes events that have the key "cda_file_monitor_attr" and "cda_file_monitor_write".

Workaround:  

Please follow this procedure (still needs one reboot):

  • run "dacontrol -n"
  • delete the file /etc/audit/audit.rules.prev (if it exists)
  • modify the file /etc/audit/rules.d/audit.rules to remove the line "-e 2"
  • run "/sbin/augenrules"
  • run "auditctl -R /etc/audit.rules"
    Now the auditing system is reverting back to the original state after the next reboot.
    Please to run "dacontrol -m" to enable monitoring.

Resolution: This issue is fixed in Suite 2017.2.

 

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleCentrify 16.11 & 16.11 Hotfix 1 Release Notes articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleCentrify Server Suite 2017 - What's New and What to Plan For