Highlighted
Mission Specialist
Mission Specialist
  • 711 Views

RH415 - incorrect usage of auditd/auditctl

Hi,

I'm going through the RH415 course on RHLS. RHEL 7.5

Section 6.6 - "Guided Exercise: Writing Custom Audit Rules"
The auditctl command in step 2.1 doesn't add a watch for directory /bin but for a symlink /bin which points to /usr/bin. Only the symlink file is watched. Due to this fact the ausearch command in step 2.2 doesn't return the audit event associated with the execution of /bin/true. It only returned the event triggered by the addition of the new rule - it is also shown on the output in the course (type=CONFIG_CHANGE).
The correct command to add a watch (in 2.1) should be:
auditctl -w /usr/bin/ -p x -F "auid>=500" -F "euid=0" -k privileged-execution
Note the change of /bin to /usr/bin which is the directory containing executable "true".

Tags (3)
5 Replies
Highlighted
Flight Engineer Flight Engineer
Flight Engineer
  • 674 Views

Re: RH415 - incorrect usage of auditd/auditctl

Hey Daniel,
thanks for reporting this. I will get in touch wit the RH415 team to let them know the issue.

 

Reply
Loading...
Highlighted
Moderator
Moderator
  • 653 Views

Re: RH415 - incorrect usage of auditd/auditctl

Hey, @Razique,

Thanks for jumping in - this is actually a known bug and it' s most probably going to be addressed in the next update.

Cheers,
Grega

A black cat crossing the street signifies that the animal is going somewhere.
[don't forget to kudo a helpful post or mark it as a solution!]
Reply
Loading...
Highlighted
Flight Engineer Flight Engineer
Flight Engineer
  • 638 Views

Re: RH415 - incorrect usage of auditd/auditctl

Thanks Grega.

0 Kudos
Reply
Loading...
Highlighted
Mission Specialist
Mission Specialist
  • 616 Views

Re: RH415 - incorrect usage of auditd/auditctl

I found another issue in the same course - in section 5.4 "Guided Exercise: Modifying the PAM Configuration", step 2.6 - logical expression "!root&student" isn't a correct expression to exclude users root and student. The correct expression should be "!root&!student" but it won't work. The expression provided in the course works but only because there's a bug in pam_time. I filed a bug report here: https://github.com/linux-pam/linux-pam/issues/124.

Reply
Loading...
Highlighted
Cadet
Cadet
  • 386 Views

Re: RH415 - incorrect usage of auditd/auditctl

what is the current student workbook version ?
0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.