Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9441: Default audit rules in CentOS 7.3 conflicts with Advanced monitoring

Centrify DirectAudit ,  

22 November,17 at 10:59 PM

Problem: Advanced Monitoring is not functioning properly on CentOS v7.3. 

Cause: This is caused by default audit rules that are set up on CentOS v7.3 which will conflict with the directories that DirectAudit monitors.

 

The reason that DirectAudit cannot receive any audit events when the customer edits the file /etc/hosts is because of these conflicting rules:

-w /etc/hosts -p wa -k system-locale
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

This is a limitation of the system auditing architecture that the audit system just sends the event with the key from the first matched rule. So, in this case, the key "system-locale" is sent. However DirectAudit only processes events that have the key "cda_file_monitor_attr" and "cda_file_monitor_write".

Workaround:  

Please follow this procedure (still needs one reboot):

  • run "dacontrol -n"
  • delete the file /etc/audit/audit.rules.prev (if it exists)
  • modify the file /etc/audit/rules.d/audit.rules to remove the line "-e 2"
  • run "/sbin/augenrules"
  • run "auditctl -R /etc/audit.rules"
    Now the auditing system is reverting back to the original state after the next reboot.
    Please to run "dacontrol -m" to enable monitoring.

Resolution: This issue is fixed in Suite 2017.2.

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.