Display auditd messages with journalctl

All systems running systemd come with a powerful tool for reviewing the system journal: journalctl. It allows you to get a quick look at the system journal while also allowing you to heavily customize your view of the log. I logged into a server recently that was having a problem and I found that the audit logs weren’t going into syslog. That’s no problem - they’re in the system journal. The system journal was filled with tons of other messages, so I decided to limit the output only to messages from the auditd unit:...

2017-01-05 · 3 min · Major Hayden

augenrules fails with “rule exists” when loading rules into auditd

When I came back from the holiday break, I found that the openstack-ansible-security role wasn’t passing tests any longer. The Ansible playbook stopped when augenrules ran to load the new audit rules. The error wasn’t terribly helpful: /usr/sbin/augenrules: No change Error sending add rule data request (Rule exists) There was an error in line 5 of /etc/audit/audit.rules A duplicated rule? I’ve been working on lots of changes to implement the Red Hat Enterprise Linux 7 Security Technical Implementation Guide (STIG) and I assumed I put in the same rule twice with an errant copy and paste....

2017-01-03 · 2 min · Major Hayden