audit rules configured in RHEL 7 and 8 do not work in RHEL 6
Issue
- We have this rules set up in the file
audit.rules
:
-w /usr/bin/chown -p x -k executionChown
-w /usr/bin/chmod -p x -k executionChmod
-a exit,never
-a user,never
-a exclude,never -F msgtype=avc
-a exclude,never -F msgtype=LOGIN
-a exclude,never -F msgtype=CRED_DISP
-a exclude,never -F msgtype=USER_END
-a exclude,never -F msgtype=USER_ACCT
-a exclude,never -F msgtype=CRED_ACQ
-a exclude,never -F msgtype=USER_START
-a exclude,never -F msgtype=CRED_REFR
-a exclude,never -F msgtype=USER_AUTH
But the audit.log
does not show any logs after executing chmod/chown commands.
Environment
- Red Hat Enterprise Linux 6.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.