operation not supported on filtering

operation not supported on filtering

[Vincent Fiset]

[-- Attachment #1.1: Type: text/plain, Size: 702 bytes --]

I got a minimal audit.rules file containing:

    # cat -n /etc/audit/audit.rules
    1  -D
    2
    3  -b 8192
    4
    5  -e 0
    6
    7  -a always,exclude -F msgtype=CWD
    8
    9  -w /etc/sysctl.conf -p wa -k sysctl

When I restart auditd I get:

    # /etc/init.d/auditd restart
    Restarting audit daemon: auditd Error sending add rule request
(Operation not supported)
    There was an error in line 7 of /etc/audit/audit.rules
     failed!

instructions like `-a always,exclude -F msgtype=CWD` seems to be very
popular in example all over the internet. I don't understand why I get the
error.

I use auditd `1:1.7.18-1.1` on debian 7

What should I do to make this filter work?

-- 
/VF

[-- Attachment #1.2: Type: text/html, Size: 1142 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: operation not supported on filtering

[Steve Grubb]

On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> I got a minimal audit.rules file containing:
> 
>     # cat -n /etc/audit/audit.rules
>     1  -D
>     2
>     3  -b 8192
>     4
>     5  -e 0

Why are you ^^^ disabling the audit system? You may want to try commenting 
that out.

>     7  -a always,exclude -F msgtype=CWD
>     8
>     9  -w /etc/sysctl.conf -p wa -k sysctl
> 
> When I restart auditd I get:
> 
>     # /etc/init.d/auditd restart
>     Restarting audit daemon: auditd Error sending add rule request
> (Operation not supported)
>     There was an error in line 7 of /etc/audit/audit.rules
>      failed!
> 
> instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> popular in example all over the internet. I don't understand why I get the
> error.
> 
> I use auditd `1:1.7.18-1.1` on debian 7
> 
> What should I do to make this filter work?

Support for msgtype on the exclude filter goes all the way back to 2005. So, 
it should work unless the kernel was built without audit full support. It 
might also be that if the audit system is disabled, it won't load rules. So, 
I'd try that. The code is very old and behaviors have changed over the years 
(both kernel and user space).

-Steve

Re: operation not supported on filtering

[Vincent Fiset]

> On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> > I got a minimal audit.rules file containing:
> >
> >     # cat -n /etc/audit/audit.rules
> >     1  -D
> >     2
> >     3  -b 8192
> >     4
> >     5  -e 0
>
> Why are you ^^^ disabling the audit system? You may want to try commenting
> that out.

I tired to add that to make sure it was not preventing me to add the
filters on msgtype. Normally I use `-e 1`

>
> >     7  -a always,exclude -F msgtype=CWD
> >     8
> >     9  -w /etc/sysctl.conf -p wa -k sysctl
> >
> > When I restart auditd I get:
> >
> >     # /etc/init.d/auditd restart
> >     Restarting audit daemon: auditd Error sending add rule request
> > (Operation not supported)
> >     There was an error in line 7 of /etc/audit/audit.rules
> >      failed!
> >
> > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > popular in example all over the internet. I don't understand why I get the
> > error.
> >
> > I use auditd `1:1.7.18-1.1` on debian 7
> >
> > What should I do to make this filter work?
>
> Support for msgtype on the exclude filter goes all the way back to 2005. So,
> it should work unless the kernel was built without audit full support. It
> might also be that if the audit system is disabled, it won't load rules. So,
> I'd try that. The code is very old and behaviors have changed over the years
> (both kernel and user space).

Thanks for the input on that I will try to figure out how to determine
if it was built with audit full support. Any tips on how to achieve
that are welcome.

Re: operation not supported on filtering

[Vincent Fiset]

$ zgrep -i audi /proc/config.gz
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_KVM_MMU_AUDIT is not set
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set


> > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> > > I got a minimal audit.rules file containing:
> > >
> > >     # cat -n /etc/audit/audit.rules
> > >     1  -D
> > >     2
> > >     3  -b 8192
> > >     4
> > >     5  -e 0
> >
> > Why are you ^^^ disabling the audit system? You may want to try commenting
> > that out.
>
> I tired to add that to make sure it was not preventing me to add the
> filters on msgtype. Normally I use `-e 1`
>
> >
> > >     7  -a always,exclude -F msgtype=CWD
> > >     8
> > >     9  -w /etc/sysctl.conf -p wa -k sysctl
> > >
> > > When I restart auditd I get:
> > >
> > >     # /etc/init.d/auditd restart
> > >     Restarting audit daemon: auditd Error sending add rule request
> > > (Operation not supported)
> > >     There was an error in line 7 of /etc/audit/audit.rules
> > >      failed!
> > >
> > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > > popular in example all over the internet. I don't understand why I get the
> > > error.
> > >
> > > I use auditd `1:1.7.18-1.1` on debian 7
> > >
> > > What should I do to make this filter work?
> >
> > Support for msgtype on the exclude filter goes all the way back to 2005. So,
> > it should work unless the kernel was built without audit full support. It
> > might also be that if the audit system is disabled, it won't load rules. So,
> > I'd try that. The code is very old and behaviors have changed over the years
> > (both kernel and user space).
>
> Thanks for the input on that I will try to figure out how to determine
> if it was built with audit full support. Any tips on how to achieve
> that are welcome.

here are the flags that I see in proc/config:

$ zgrep -i audi /proc/config.gz
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_KVM_MMU_AUDIT is not set
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set

At this point I am unsure if it's all needed to claim it was built
with audit full support. Anything else I should check?
On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset <vfiset@gmail.com> wrote:
>
> > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> > > I got a minimal audit.rules file containing:
> > >
> > >     # cat -n /etc/audit/audit.rules
> > >     1  -D
> > >     2
> > >     3  -b 8192
> > >     4
> > >     5  -e 0
> >
> > Why are you ^^^ disabling the audit system? You may want to try commenting
> > that out.
>
> I tired to add that to make sure it was not preventing me to add the
> filters on msgtype. Normally I use `-e 1`
>
> >
> > >     7  -a always,exclude -F msgtype=CWD
> > >     8
> > >     9  -w /etc/sysctl.conf -p wa -k sysctl
> > >
> > > When I restart auditd I get:
> > >
> > >     # /etc/init.d/auditd restart
> > >     Restarting audit daemon: auditd Error sending add rule request
> > > (Operation not supported)
> > >     There was an error in line 7 of /etc/audit/audit.rules
> > >      failed!
> > >
> > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > > popular in example all over the internet. I don't understand why I get the
> > > error.
> > >
> > > I use auditd `1:1.7.18-1.1` on debian 7
> > >
> > > What should I do to make this filter work?
> >
> > Support for msgtype on the exclude filter goes all the way back to 2005. So,
> > it should work unless the kernel was built without audit full support. It
> > might also be that if the audit system is disabled, it won't load rules. So,
> > I'd try that. The code is very old and behaviors have changed over the years
> > (both kernel and user space).
>
> Thanks for the input on that I will try to figure out how to determine
> if it was built with audit full support. Any tips on how to achieve
> that are welcome.



-- 
/VF

Re: operation not supported on filtering

[Steve Grubb]

On Tuesday, December 4, 2018 9:26:29 AM EST Vincent Fiset wrote:
> here are the flags that I see in proc/config:
> 
> $ zgrep -i audi /proc/config.gz
> CONFIG_AUDIT_ARCH=y
> CONFIG_AUDIT=y
> CONFIG_HAVE_ARCH_AUDITSYSCALL=y
> CONFIG_AUDITSYSCALL=y
> CONFIG_AUDIT_WATCH=y
> CONFIG_AUDIT_TREE=y
> CONFIG_NETFILTER_XT_TARGET_AUDIT=m
> CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
> # CONFIG_KVM_MMU_AUDIT is not set
> # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
> 
> At this point I am unsure if it's all needed to claim it was built
> with audit full support. Anything else I should check?

Offhand that looks like all the settings. If you modify line 5 to enable the 
audit system and then comment out the rule at line 7, does it work when you 
restart?

If that works, then you might want to strace loading that rule by command 
line.

strace /sbin/auditctl -a always,exclude -F msgtype=CWD  >  log  2>&1

-Steve


> On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset <vfiset@gmail.com> wrote:
> > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> > > > I got a minimal audit.rules file containing:
> > > >     # cat -n /etc/audit/audit.rules
> > > >     1  -D
> > > >     2
> > > >     3  -b 8192
> > > >     4
> > > >     5  -e 0
> > > 
> > > Why are you ^^^ disabling the audit system? You may want to try
> > > commenting
> > > that out.
> > 
> > I tired to add that to make sure it was not preventing me to add the
> > filters on msgtype. Normally I use `-e 1`
> > 
> > > >     7  -a always,exclude -F msgtype=CWD
> > > >     8
> > > >     9  -w /etc/sysctl.conf -p wa -k sysctl
> > > > 
> > > > When I restart auditd I get:
> > > >     # /etc/init.d/auditd restart
> > > >     Restarting audit daemon: auditd Error sending add rule request
> > > > 
> > > > (Operation not supported)
> > > > 
> > > >     There was an error in line 7 of /etc/audit/audit.rules
> > > >     
> > > >      failed!
> > > > 
> > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > > > popular in example all over the internet. I don't understand why I
> > > > get the
> > > > error.
> > > > 
> > > > I use auditd `1:1.7.18-1.1` on debian 7
> > > > 
> > > > What should I do to make this filter work?
> > > 
> > > Support for msgtype on the exclude filter goes all the way back to
> > > 2005. So, it should work unless the kernel was built without audit
> > > full support. It might also be that if the audit system is disabled,
> > > it won't load rules. So, I'd try that. The code is very old and
> > > behaviors have changed over the years (both kernel and user space).
> > 
> > Thanks for the input on that I will try to figure out how to determine
> > if it was built with audit full support. Any tips on how to achieve
> > that are welcome.

Re: operation not supported on filtering

[Vincent Fiset]

> > here are the flags that I see in proc/config:
> >
> > $ zgrep -i audi /proc/config.gz
> > CONFIG_AUDIT_ARCH=y
> > CONFIG_AUDIT=y
> > CONFIG_HAVE_ARCH_AUDITSYSCALL=y
> > CONFIG_AUDITSYSCALL=y
> > CONFIG_AUDIT_WATCH=y
> > CONFIG_AUDIT_TREE=y
> > CONFIG_NETFILTER_XT_TARGET_AUDIT=m
> > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
> > # CONFIG_KVM_MMU_AUDIT is not set
> > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
> >
> > At this point I am unsure if it's all needed to claim it was built
> > with audit full support. Anything else I should check?
>
> Offhand that looks like all the settings. If you modify line 5 to enable the
> audit system and then comment out the rule at line 7, does it work when you
> restart?
>
> If that works, then you might want to strace loading that rule by command
> line.
>
> strace /sbin/auditctl -a always,exclude -F msgtype=CWD  >  log  2>&1

Unfortunately I already tried that before, strace was not revealing
anything obvious (for me at least)

here is the output if ever you see something:

$ cat -n /etc/audit/audit.rules
     1  -D
     2
     3  -b 8192
     4
     5  #-e 1
     6
     7  #-a exclude,never -F msgtype=CWD
     8
     9  -w /etc/sysctl.conf -p wa -k sysctl

$ /etc/init.d/auditd restart
Restarting audit daemon: auditd.

$ auditctl -l
LIST_RULES: exit,always watch=/etc/sysctl.conf perm=wa key=sysctl

$ strace /sbin/auditctl -a always,exclude -F msgtype=CWD  >  log  2>&1
$ cat log
execve("/sbin/auditctl", ["/sbin/auditctl", "-a", "always,exclude",
"-F", "msgtype=CWD"], [/* 19 vars */]) = 0
brk(0)                                  = 0x226b000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f9339141000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=18800, ...}) = 0
mmap(NULL, 18800, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f933913c000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\\\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=131107, ...}) = 0
mmap(NULL, 2208672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x7f9338d08000
mprotect(0x7f9338d1f000, 2093056, PROT_NONE) = 0
mmap(0x7f9338f1e000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f9338f1e000
mmap(0x7f9338f20000, 13216, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9338f20000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\357\1\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1607696, ...}) = 0
mmap(NULL, 3721272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x7f933897b000
mprotect(0x7f9338aff000, 2093056, PROT_NONE) = 0
mmap(0x7f9338cfe000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x183000) = 0x7f9338cfe000
mmap(0x7f9338d03000, 18488, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9338d03000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f933913b000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f933913a000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f9339139000
arch_prctl(ARCH_SET_FS, 0x7f933913a700) = 0
mprotect(0x7f9338cfe000, 16384, PROT_READ) = 0
mprotect(0x7f9338f1e000, 4096, PROT_READ) = 0
mprotect(0x7f9339143000, 4096, PROT_READ) = 0
munmap(0x7f933913c000, 18800)           = 0
set_tid_address(0x7f933913a9d0)         = 26861
set_robust_list(0x7f933913a9e0, 0x18)   = 0
futex(0x7ffe952c57fc, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME,
1, NULL, 7f933913a700) = -1 EAGAIN (Resource temporarily unavailable)
rt_sigaction(SIGRTMIN, {0x7f9338d0dad0, [], SA_RESTORER|SA_SIGINFO,
0x7f9338d170a0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7f9338d0db60, [],
SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f9338d170a0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=8192*1024}) = 0
getuid()                                = 0
socket(PF_NETLINK, SOCK_RAW, 9)         = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
brk(0)                                  = 0x226b000
brk(0x228c000)                          = 0x228c000
socket(PF_NETLINK, SOCK_RAW, 9)         = 4
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
sendto(4, "\20\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0", 16, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
poll([{fd=4, events=POLLIN}], 1, 500)   = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "$\0\0\0\2\0\0\0\1\0\0\0\355h\0\0\0\0\0\0\20\0\0\0\350\3\5\0\1\0\0\0"...,
8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
groups=00000000}, [12]) = 36
recvfrom(4, "$\0\0\0\2\0\0\0\1\0\0\0\355h\0\0\0\0\0\0\20\0\0\0\350\3\5\0\1\0\0\0"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
[12]) = 36
poll([{fd=4, events=POLLIN}], 1, 100)   = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "8\0\0\0\350\3\0\0\1\0\0\0\355h\0\0\0\0\0\0\1\0\0\0\1\0\0\0$c\0\0"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
[12]) = 56
sendto(4, "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\1\0\0\0\377\377\377\377"...,
796, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 796
poll([{fd=4, events=POLLIN}], 1, 500)   = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0\0"...,
8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
groups=00000000}, [12]) = 816
recvfrom(4, "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0\0"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
[12]) = 816
write(2, "Error sending add rule request ("..., 56Error sending add
rule request (Operation not supported)) = 56
write(2, "\n", 1
)                       = 1
close(4)                                = 0
exit_group(-1)                          = ?
On Tue, Dec 4, 2018 at 9:51 AM Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Tuesday, December 4, 2018 9:26:29 AM EST Vincent Fiset wrote:
> > here are the flags that I see in proc/config:
> >
> > $ zgrep -i audi /proc/config.gz
> > CONFIG_AUDIT_ARCH=y
> > CONFIG_AUDIT=y
> > CONFIG_HAVE_ARCH_AUDITSYSCALL=y
> > CONFIG_AUDITSYSCALL=y
> > CONFIG_AUDIT_WATCH=y
> > CONFIG_AUDIT_TREE=y
> > CONFIG_NETFILTER_XT_TARGET_AUDIT=m
> > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
> > # CONFIG_KVM_MMU_AUDIT is not set
> > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
> >
> > At this point I am unsure if it's all needed to claim it was built
> > with audit full support. Anything else I should check?
>
> Offhand that looks like all the settings. If you modify line 5 to enable the
> audit system and then comment out the rule at line 7, does it work when you
> restart?
>
> If that works, then you might want to strace loading that rule by command
> line.
>
> strace /sbin/auditctl -a always,exclude -F msgtype=CWD  >  log  2>&1
>
> -Steve
>
>
> > On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset <vfiset@gmail.com> wrote:
> > > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> > > > > I got a minimal audit.rules file containing:
> > > > >     # cat -n /etc/audit/audit.rules
> > > > >     1  -D
> > > > >     2
> > > > >     3  -b 8192
> > > > >     4
> > > > >     5  -e 0
> > > >
> > > > Why are you ^^^ disabling the audit system? You may want to try
> > > > commenting
> > > > that out.
> > >
> > > I tired to add that to make sure it was not preventing me to add the
> > > filters on msgtype. Normally I use `-e 1`
> > >
> > > > >     7  -a always,exclude -F msgtype=CWD
> > > > >     8
> > > > >     9  -w /etc/sysctl.conf -p wa -k sysctl
> > > > >
> > > > > When I restart auditd I get:
> > > > >     # /etc/init.d/auditd restart
> > > > >     Restarting audit daemon: auditd Error sending add rule request
> > > > >
> > > > > (Operation not supported)
> > > > >
> > > > >     There was an error in line 7 of /etc/audit/audit.rules
> > > > >
> > > > >      failed!
> > > > >
> > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > > > > popular in example all over the internet. I don't understand why I
> > > > > get the
> > > > > error.
> > > > >
> > > > > I use auditd `1:1.7.18-1.1` on debian 7
> > > > >
> > > > > What should I do to make this filter work?
> > > >
> > > > Support for msgtype on the exclude filter goes all the way back to
> > > > 2005. So, it should work unless the kernel was built without audit
> > > > full support. It might also be that if the audit system is disabled,
> > > > it won't load rules. So, I'd try that. The code is very old and
> > > > behaviors have changed over the years (both kernel and user space).
> > >
> > > Thanks for the input on that I will try to figure out how to determine
> > > if it was built with audit full support. Any tips on how to achieve
> > > that are welcome.
>
>
>
>


-- 
/VF

Re: operation not supported on filtering

[Steve Grubb]

On Tuesday, December 4, 2018 10:15:47 AM EST Vincent Fiset wrote:
> > strace /sbin/auditctl -a always,exclude -F msgtype=CWD  >  log  2>&1
> 
> Unfortunately I already tried that before, strace was not revealing
> anything obvious (for me at least)

There's info in there.

> sendto(4,
> "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\1\0\0\0\377\377\377\3
> 77"..., 796, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 796
> poll([{fd=4, events=POLLIN}], 1, 500)   = 1 ([{fd=4, revents=POLLIN}])
> recvfrom(4,
> "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0
> \0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
> groups=00000000}, [12]) = 816
> recvfrom(4,
> "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0
> \0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},

This ^^^ is the part to interpret:

0\3\0\0\ - length
2\0 - msg type NLMSG_ERROR
\0\0 - flags
\2\0\0\0 - seq number
\355h\0\0\0 - pid 
\241\377\377\377 - errno EOPNOTSUPP

So...your kernel is not supporting this. You'd need to dig through the kernel 
source to find this. I don't think I can help much past this point as I'm not 
familiar with the Debian kernels.

-Steve

Re: operation not supported on filtering

[Vincent Fiset]

> So...your kernel is not supporting this. You'd need to dig through the kernel
source to find this. I don't think I can help much past this point as I'm not
familiar with the Debian kernels.

Thanks for the confirmation you helped me a lot
On Tue, Dec 4, 2018 at 11:09 AM Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Tuesday, December 4, 2018 10:15:47 AM EST Vincent Fiset wrote:
> > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD  >  log  2>&1
> >
> > Unfortunately I already tried that before, strace was not revealing
> > anything obvious (for me at least)
>
> There's info in there.
>
> > sendto(4,
> > "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\1\0\0\0\377\377\377\3
> > 77"..., 796, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 796
> > poll([{fd=4, events=POLLIN}], 1, 500)   = 1 ([{fd=4, revents=POLLIN}])
> > recvfrom(4,
> > "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0
> > \0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
> > groups=00000000}, [12]) = 816
> > recvfrom(4,
> > "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0
> > \0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
>
> This ^^^ is the part to interpret:
>
> 0\3\0\0\ - length
> 2\0 - msg type NLMSG_ERROR
> \0\0 - flags
> \2\0\0\0 - seq number
> \355h\0\0\0 - pid
> \241\377\377\377 - errno EOPNOTSUPP
>
> So...your kernel is not supporting this. You'd need to dig through the kernel
> source to find this. I don't think I can help much past this point as I'm not
> familiar with the Debian kernels.
>
> -Steve
>
>


-- 
/VF