auditd does not work like intended

Hi everyone,

I’m just starting to dig into auditd for the first time. By that, I’m hitting a few issues, I do not understand nor find a proper answer on the internet. I hope this group of experienced experts do have answers to my questions:

In https://www.suse.com/documentation/sles-12/book_security/data/sec_audit_scenauconf.html it reads two different things in my understanding:

First:

But second, in the example below:

This is my config:

# auditctl -l -a never,task -w /etc -p rwxa -k etc #

When I chdir into /etc and execute “ls” (which should match “r” and/or “x”), nothing is written to the auditd log. First question: Why not?

When I change the config to the following:

# auditctl -l -a never,task -w /etc -p rwxa -k etc -w /etc/fstab -p wa -k fstab

and then open the /etc/fstab in vim, then change and save the file, I receive this:

type=CONFIG_CHANGE msg=audit(1555143757.679:37528): auid=1285194 ses=842 op=updated_rules path="/etc/fstab" key="fstab" list=4 res=1AUID="richtm1" type=CONFIG_CHANGE msg=audit(1555143757.679:37529): auid=1285194 ses=842 op=updated_rules path="/etc/fstab" key="fstab" list=4 res=1AUID="richtm1"

Second question: Why it states “CONFIG_CHANGE”?

When I then, with the same config for /etc/fstab, do this, nothing is written to the log, even though the file is changed by that:

# echo "" >> /etc/fstab #

Third question: Why is that?? How can I audit file changes independent on the way/tool they got changed with? How can I configure auditd to log this particular change?

Thanks for your help!

DerJudge,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team
http://forums.suse.com