Re: iptables changes triggering audit messages, despite auditd not being installed
Firstly, apologies for double-posting the issue originally.
On 5 May 2016 at 13:05, shawn wilson <ag4ve.us@gmail.com> wrote:
>
> On May 5, 2016 6:03 AM, "Tony Evans" <gnomtrix@gmail.com> wrote:
>>
>
>> I can't find why the log entries are being created (i.e. I know the
>> trigger, but I can't work out why that trigger is now generating log
>> entries when it wasn't doing that before I installed and removed
>> auditd).
>>
>
> I'm guessing the removal script didn't delete the audit rules which reside
> in kernel memory. If I'm correct, a reboot will fix this. I'd probably
> consider that a bug (if I'm right) and confirm and submit a report to the
> maintainer.
That doesn't really explain what I'm seeing - I only added one rule
when I first installed it, and it was nothing to do with iptables or
anything near the directories it is using. Additionally, when I
reinstalled auditd, the messages stop (and start again when it's
removed)
Can I query the kernel rules (without auditctl?)
I'm happy (and comfortable) raising this as a bug (although it is
7.10, I may test and see if I can recreate on 8), but wanted to check
first if there was somewhere I could dig for more information about
where the trigger / rule is stored (without auditctl, since it's not
installed any longer).
--
Tony Evans
'A learning experience is one of those things that say, "You know that
thing you just did? Don't do that."' Douglas Adams.
Photos: http://www.flickr.com/photos/eightbittony/ | Blog:
http://perceptionistruth.com/
Reply to: