audit logs are not getting generated for pki files #5117
Description
Summary :
audit logs are not getting generated for pki files when removed or modifed despite being monitored
Build:
Fedora release 42 (Adams)
dogtag-pki-11.7.0-0.1.alpha1.20250605161812UTC.ed0bb297.fc42.x86_64
COPR: @pki/master
Steps to reproduce:
- Install necessary pki pakages
- Install CA and KRA subsystems
- Configure auditctl
- Configure to watch this directory /var/log/pki/topology-02-KRA/
# auditctl -w /var/log/pki/topology-02-KRA/ -p wa -k rhcs_audit_deletion
Old style watch rules are slower
Verify that the rule was created
[root@pki1 pki-pytest-ansible]# auditctl -l
-a never,task
-w /etc/pki/topology-02-CA/ca/CS.cfg -p wxa -k rhcs_audit_config
-w /etc/pki/topology-02-CA/server.xml -p wxa -k rhcs_audit_config
-w /etc/pki/topology-02-KRA/kra/CS.cfg -p wxa -k rhcs_audit_config
-w /etc/pki/topology-02-KRA/server.xml -p wxa -k rhcs_audit_config
-w /var/log/pki/topology-02-CA -p wa -k rhcs_audit_deletion
-w /var/log/pki/topology-02-KRA -p wa -k rhcs_audit_deletion
Craete some files to test with
touch /var/log/pki/topology-02-CA/test{1..10}.txt
Check ausearch --interpret -k rhcs_audit_deletion
Note the last message
Remove the test files
rm -rf /var/log/pki/topology-02-CA/test{1..10}.txt
Check again-- note that there are no updates about the deleted files try chmod etc :
ausearch --interpret -k rhcs_audit_deletion
type=CONFIG_CHANGE msg=audit(06/07/2025 00:46:59.921:7584) : auid=fedora ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key=rhcs_audit_deletion list=exit res=yes
type=CONFIG_CHANGE msg=audit(06/07/2025 00:47:16.648:7585) : auid=fedora ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key=rhcs_audit_deletion list=exit res=yes
# touch /var/log/pki/topology-02-CA/test{1..10}.txt
[root@pki1 pki-pytest-ansible]# ll /var/log/pki/topology-02-CA/test*
-rw-r--r--. 1 root root 0 Jun 7 00:55 /var/log/pki/topology-02-CA/test10.txt
-rw-r--r--. 1 root root 0 Jun 7 00:50 '/var/log/pki/topology-02-CA/test[1..10].txt'
-rw-r--r--. 1 root root 0 Jun 7 00:55 /var/log/pki/topology-02-CA/test1.txt
-rw-r--r--. 1 root root 0 Jun 7 00:55 /var/log/pki/topology-02-CA/test2.txt
-rw-r--r--. 1 root root 0 Jun 7 00:55 /var/log/pki/topology-02-CA/test3.txt
-rw-r--r--. 1 root root 0 Jun 7 00:55 /var/log/pki/topology-02-CA/test4.txt
-rw-r--r--. 1 root root 0 Jun 7 00:55 /var/log/pki/topology-02-CA/test5.txt
-rw-r--r--. 1 root root 0 Jun 7 00:55 /var/log/pki/topology-02-CA/test6.txt
-rw-r--r--. 1 root root 0 Jun 7 00:55 /var/log/pki/topology-02-CA/test7.txt
-rw-r--r--. 1 root root 0 Jun 7 00:55 /var/log/pki/topology-02-CA/test8.txt
-rw-r--r--. 1 root root 0 Jun 7 00:55 /var/log/pki/topology-02-CA/test9.txt
-rw-r--r--. 1 root root 0 Jun 7 00:49 /var/log/pki/topology-02-CA/test.txt
[root@pki1 pki-pytest-ansible]# rm -rf /var/log/pki/topology-02-CA/test{1..10}.txt
[root@pki1 pki-pytest-ansible]# ll /var/log/pki/topology-02-CA/test*
-rw-r--r--. 1 root root 0 Jun 7 00:50 '/var/log/pki/topology-02-CA/test[1..10].txt'
-rw-r--r--. 1 root root 0 Jun 7 00:49 /var/log/pki/topology-02-CA/test.txt
Running ausearch --interpret -k rhcs_audit_deletion again ...You will notice no new changes.
type=CONFIG_CHANGE msg=audit(06/07/2025 00:46:59.921:7584) : auid=fedora ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key=rhcs_audit_deletion list=exit res=yes
type=CONFIG_CHANGE msg=audit(06/07/2025 00:47:16.648:7585) : auid=fedora ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key=rhcs_audit_deletion list=exit res=yes
Expected Results:
Expected audit logs to show when a monitored directory is deleted
Actual Results:
Audit logs do not show any updates