* Bad Rule?
@ 2021-07-08 14:26 warron.french
2021-07-08 15:07 ` Steve Grubb
0 siblings, 1 reply; 7+ messages in thread
From: warron.french @ 2021-07-08 14:26 UTC (permalink / raw)
To: Linux Audit
[-- Attachment #1.1: Type: text/plain, Size: 525 bytes --]
I am required to place the following rule into my audit configurations, but
when I do auditd will stop loading rules from this particular rule forward
to the end.
-a always,exit -F path= /etc/NetworkManager/ -F perm=wa -F
key=system-locale
The rule immediately above it was:
-a exit,never -F dir=/usr/local/share/macrovision/storage -k exclude
If I hash out the syntax including NetworkManager all rules load, but
unhashed it stops loading rules from that point to the end.
--------------------------
Warron French
[-- Attachment #1.2: Type: text/html, Size: 911 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Bad Rule?
2021-07-08 14:26 Bad Rule? warron.french
@ 2021-07-08 15:07 ` Steve Grubb
2021-07-08 17:33 ` warron.french
0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2021-07-08 15:07 UTC (permalink / raw)
To: linux-audit
On Thursday, July 8, 2021 10:26:57 AM EDT warron.french wrote:
> I am required to place the following rule into my audit configurations, but
> when I do auditd will stop loading rules from this particular rule forward
> to the end.
>
> -a always,exit -F path= /etc/NetworkManager/ -F perm=wa -F
> key=system-locale
There is a space between path= and /etc. Usually systemd puts auditctl
messages in syslog/journal.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Bad Rule?
2021-07-08 15:07 ` Steve Grubb
@ 2021-07-08 17:33 ` warron.french
2021-07-08 18:46 ` Richard Guy Briggs
0 siblings, 1 reply; 7+ messages in thread
From: warron.french @ 2021-07-08 17:33 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux Audit
[-- Attachment #1.1: Type: text/plain, Size: 828 bytes --]
Ah! that was a typo in my email typing, since I could not copy paste from
where the syntax was to my email I was typing.
Thanks Steve.
--------------------------
Warron French
On Thu, Jul 8, 2021 at 11:11 AM Steve Grubb <sgrubb@redhat.com> wrote:
> On Thursday, July 8, 2021 10:26:57 AM EDT warron.french wrote:
> > I am required to place the following rule into my audit configurations,
> but
> > when I do auditd will stop loading rules from this particular rule
> forward
> > to the end.
> >
> > -a always,exit -F path= /etc/NetworkManager/ -F perm=wa -F
> > key=system-locale
>
> There is a space between path= and /etc. Usually systemd puts auditctl
> messages in syslog/journal.
>
> -Steve
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
>
>
[-- Attachment #1.2: Type: text/html, Size: 1609 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Bad Rule?
2021-07-08 17:33 ` warron.french
@ 2021-07-08 18:46 ` Richard Guy Briggs
2021-07-08 19:00 ` warron.french
2021-07-08 19:05 ` Steve Grubb
0 siblings, 2 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2021-07-08 18:46 UTC (permalink / raw)
To: warron.french; +Cc: Linux Audit
On 2021-07-08 13:33, warron.french wrote:
> Ah! that was a typo in my email typing, since I could not copy paste from
> where the syntax was to my email I was typing.
Could it be you are trying to add a directory with a path field?
> Thanks Steve.
> --------------------------
> Warron French
>
> On Thu, Jul 8, 2021 at 11:11 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Thursday, July 8, 2021 10:26:57 AM EDT warron.french wrote:
> > > I am required to place the following rule into my audit configurations,
> > but
> > > when I do auditd will stop loading rules from this particular rule
> > forward
> > > to the end.
> > >
> > > -a always,exit -F path= /etc/NetworkManager/ -F perm=wa -F
> > > key=system-locale
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
> > There is a space between path= and /etc. Usually systemd puts auditctl
> > messages in syslog/journal.
> >
> > -Steve
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Bad Rule?
2021-07-08 18:46 ` Richard Guy Briggs
@ 2021-07-08 19:00 ` warron.french
2021-07-08 19:05 ` Steve Grubb
1 sibling, 0 replies; 7+ messages in thread
From: warron.french @ 2021-07-08 19:00 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Linux Audit
[-- Attachment #1.1: Type: text/plain, Size: 1321 bytes --]
Yes!
--------------------------
Warron French
On Thu, Jul 8, 2021 at 2:47 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2021-07-08 13:33, warron.french wrote:
> > Ah! that was a typo in my email typing, since I could not copy paste from
> > where the syntax was to my email I was typing.
>
> Could it be you are trying to add a directory with a path field?
>
> > Thanks Steve.
> > --------------------------
> > Warron French
> >
> > On Thu, Jul 8, 2021 at 11:11 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Thursday, July 8, 2021 10:26:57 AM EDT warron.french wrote:
> > > > I am required to place the following rule into my audit
> configurations,
> > > but
> > > > when I do auditd will stop loading rules from this particular rule
> > > forward
> > > > to the end.
> > > >
> > > > -a always,exit -F path= /etc/NetworkManager/ -F perm=wa -F
> > > > key=system-locale
>
> -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
>
> > > There is a space between path= and /etc. Usually systemd puts auditctl
> > > messages in syslog/journal.
> > >
> > > -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>
[-- Attachment #1.2: Type: text/html, Size: 2194 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Bad Rule?
2021-07-08 18:46 ` Richard Guy Briggs
2021-07-08 19:00 ` warron.french
@ 2021-07-08 19:05 ` Steve Grubb
2021-07-08 19:33 ` warron.french
1 sibling, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2021-07-08 19:05 UTC (permalink / raw)
To: warron.french, Richard Guy Briggs; +Cc: Linux Audit
On Thursday, July 8, 2021 2:46:40 PM EDT Richard Guy Briggs wrote:
> On 2021-07-08 13:33, warron.french wrote:
> > Ah! that was a typo in my email typing, since I could not copy paste from
> > where the syntax was to my email I was typing.
>
> Could it be you are trying to add a directory with a path field?
That's not exactly a problem if you intend to watch the directory itself.
Placing a watch with dir does not actually include changes to entries in the
dirtectory itself, but rather the files contained by it.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Bad Rule?
2021-07-08 19:05 ` Steve Grubb
@ 2021-07-08 19:33 ` warron.french
0 siblings, 0 replies; 7+ messages in thread
From: warron.french @ 2021-07-08 19:33 UTC (permalink / raw)
To: Steve Grubb; +Cc: Richard Guy Briggs, Linux Audit
[-- Attachment #1.1: Type: text/plain, Size: 761 bytes --]
Ok, thanks. I was supposed to use "dir=" though according to the rules
directed to me.
--------------------------
Warron French
On Thu, Jul 8, 2021 at 3:05 PM Steve Grubb <sgrubb@redhat.com> wrote:
> On Thursday, July 8, 2021 2:46:40 PM EDT Richard Guy Briggs wrote:
> > On 2021-07-08 13:33, warron.french wrote:
> > > Ah! that was a typo in my email typing, since I could not copy paste
> from
> > > where the syntax was to my email I was typing.
> >
> > Could it be you are trying to add a directory with a path field?
>
> That's not exactly a problem if you intend to watch the directory itself.
> Placing a watch with dir does not actually include changes to entries in
> the
> dirtectory itself, but rather the files contained by it.
>
> -Steve
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 1368 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-07-08 19:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-08 14:26 Bad Rule? warron.french
2021-07-08 15:07 ` Steve Grubb
2021-07-08 17:33 ` warron.french
2021-07-08 18:46 ` Richard Guy Briggs
2021-07-08 19:00 ` warron.french
2021-07-08 19:05 ` Steve Grubb
2021-07-08 19:33 ` warron.french
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.