Bug 1226418

Summary: yast2-audit-laf rules are not preserved across reboots
Product: [openSUSE] openSUSE Distribution Reporter: Henryk Hecht <nvbugs>
Component: YaST2Assignee: YaST Team <yast-internal>
Status: CONFIRMED --- QA Contact: Jiri Srain <jsrain>
Severity: Enhancement    
Priority: P5 - None    
Version: Leap 15.6   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
URL: https://trello.com/c/gOKBwrda
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Henryk Hecht 2024-06-17 07:18:57 UTC 
With yast2-audit-laf-4.6.0-150600.1.2 on a fresh Leap 15.6 install:
The Yast audit module provides a tab "rules for 'auditctl'" that allows one to edit the audit rules for the system.  Unfortunately, any changes made here are lost on reboot, and are thus somewhat useless (and confusingly so).

The reason is that augenrules.service runs augenrules --load.  The manpage says:

...merges all component audit rules files, found in the audit rules  directory, /etc/audit/rules.d,  placing  the merged file in /etc/audit/audit.rules

I.e., it overwrites /etc/audit/audit.rules, as this is not part of the merge set.  Yast loads from and saves to audit.rules only, so it is essentially ephemeral.

This is clearly wrong, but I am not sure what the correct behavior here should be.  If Yast edits e.g., /etc/audit/rules.d/yast.rules, then users will falsely get the idea that they are editing all the rules, rather than just some of them.  This is likely to be confusing in a different way, especially as the default configuration contains "-a task,never", which disables all syscall (and thus, even more confusingly, filesystem watch) rules.  The alternative would be to continue to edit audit.rules but disable augenrules.service.  In the latter case, rules.d should probably not be part of the package, as it would be ignored.  Or perhaps yast can only display a warning, instead of the edit widget, if there is anything in rules.d and augenrules.service is enabled?  None of this seems fully satisfactory.

The underlying problem is how the audit software handles configuration files, of course: augenrules is both less flexible and distinctly un-Linuxy compared to e.g., the #includedir of sudoers.  Changing this would probably be confusing in a yet a different way, however.
Comment 1 Stefan Hundhammer 2024-06-17 08:01:04 UTC 
First observation: That code has not changed at all for at least two years on the YaST side.

  https://github.com/yast/yast-audit-laf

That implies that this behavior is very unlikely to be new.
Comment 2 Stefan Hundhammer 2024-06-17 08:05:55 UTC 
Further inspection shows that the real code is very old; most of it goes back to 2008-2010. Later changes were only minor.

  https://github.com/yast/yast-audit-laf/blob/master/package/yast2-audit-laf.changes

It doesn't seem to be widely used; I can't recall any bug reports about it in recent years.

This whole module is probably a hot candidate for dropping.
Comment 3 Henryk Hecht 2024-06-18 00:53:37 UTC 
If the code is that old, it dates from audit-1.x, which is before augenrules and the inclusion of 10-no-audit.rules -> audit.rules as the baseline configuration.  So its behavior makes sense with contemporary versions of audit.

I am unsurprised that the module is unpopular: there are probably very few people actively and directly using audit in the first place, and the yast module isn't required/recommended by anything, so it's hard to know that it's there.  But the rule editing probably hasn't worked properly since at least 2015, so if this is the first bug report of that, it seems really no one at all is using it, and dropping it may be reasonable.

If not, the other three tabs still seem to work, so maybe it could be salvaged by either making it edit /etc/audit/rules.d/audit.rules instead of /etc/audit/audit.rules, or else just scrapping the rules editing portion.