You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Happened to notice we were missing audit data for a bunch of our hosts (O_O...compliance requirements). Seems some RHEL update stops auditd (or crashes it) and Chef is not addressing the situation by starting it again at any point in our hourly runs. Digging in, I found the following.
Chef 13.12.3
auditd cookbook 2.3.4
RHEL 7.6
...
Recipe: auditd::default
* yum_package[audit] action install (up to date)
* service[auditd] action enable (up to date)
...
Here you can see that kauditd is running, but that is notauditd
[m26560@cnide-db ~]$ pgrep --exact auditd
[m26560@cnide-db ~]$ ps -ef | grep auditd
root 96 2 0 Sep26 ? 00:00:35 [kauditd]
[m26560@cnide-db ~]$ sudo systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Wed 2018-12-05 04:45:20 EST; 2 days ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Main PID: 649 (code=exited, status=0/SUCCESS)
Dec 05 04:45:20 cnide-db auditd[649]: The audit daemon is exiting.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
[m26560@cnide-db ~]$
The text was updated successfully, but these errors were encountered:
Happened to notice we were missing audit data for a bunch of our hosts (O_O...compliance requirements). Seems some RHEL update stops auditd (or crashes it) and Chef is not addressing the situation by starting it again at any point in our hourly runs. Digging in, I found the following.
Chef 13.12.3
auditd cookbook 2.3.4
RHEL 7.6
Here you can see that kauditd is running, but that is not
auditdThe text was updated successfully, but these errors were encountered: