Unable to audit systemd events
Issue
An audit rule is in place that should log events generated by systemd however it's noticed that no events with pid 1
are logged.
An example rule which will track all systemd syscalls:
# auditctl -a always,exit -S all -F pid=1 -F key=systemd
# auditctl -l
LIST_RULES: exit,always pid=1 (0x1) key=systemd syscall=all
Watch systemd to confirm syscalls are made which should generate audit events
# strace -c -p 1
Process 1 attached
^CProcess 1 detached
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
31.88 0.000051 13 4 epoll_wait
26.87 0.000043 22 2 read
11.25 0.000018 9 2 open
10.62 0.000017 9 2 munmap
9.38 0.000015 2 8 2 recvmsg
6.25 0.000010 5 2 mmap
1.88 0.000003 2 2 close
1.88 0.000003 2 2 timerfd_settime
0.00 0.000000 0 2 fstat
0.00 0.000000 0 4 clock_gettime
------ ----------- ----------- --------- --------- ----------------
100.00 0.000160 30 2 total
o But no new audit events with our key are logged since the rule was added:
# ausearch -ts recent -k systemd
<no matches>
Environment
o RHEL 7.X
o audit subsystem
o systemd
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.