* operation not supported on filtering @ 2018-12-03 17:26 Vincent Fiset 2018-12-03 17:55 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: Vincent Fiset @ 2018-12-03 17:26 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 702 bytes --] I got a minimal audit.rules file containing: # cat -n /etc/audit/audit.rules 1 -D 2 3 -b 8192 4 5 -e 0 6 7 -a always,exclude -F msgtype=CWD 8 9 -w /etc/sysctl.conf -p wa -k sysctl When I restart auditd I get: # /etc/init.d/auditd restart Restarting audit daemon: auditd Error sending add rule request (Operation not supported) There was an error in line 7 of /etc/audit/audit.rules failed! instructions like `-a always,exclude -F msgtype=CWD` seems to be very popular in example all over the internet. I don't understand why I get the error. I use auditd `1:1.7.18-1.1` on debian 7 What should I do to make this filter work? -- /VF [-- Attachment #1.2: Type: text/html, Size: 1142 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: operation not supported on filtering 2018-12-03 17:26 operation not supported on filtering Vincent Fiset @ 2018-12-03 17:55 ` Steve Grubb 2018-12-03 19:13 ` Vincent Fiset 0 siblings, 1 reply; 8+ messages in thread From: Steve Grubb @ 2018-12-03 17:55 UTC (permalink / raw) To: linux-audit On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > I got a minimal audit.rules file containing: > > # cat -n /etc/audit/audit.rules > 1 -D > 2 > 3 -b 8192 > 4 > 5 -e 0 Why are you ^^^ disabling the audit system? You may want to try commenting that out. > 7 -a always,exclude -F msgtype=CWD > 8 > 9 -w /etc/sysctl.conf -p wa -k sysctl > > When I restart auditd I get: > > # /etc/init.d/auditd restart > Restarting audit daemon: auditd Error sending add rule request > (Operation not supported) > There was an error in line 7 of /etc/audit/audit.rules > failed! > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > popular in example all over the internet. I don't understand why I get the > error. > > I use auditd `1:1.7.18-1.1` on debian 7 > > What should I do to make this filter work? Support for msgtype on the exclude filter goes all the way back to 2005. So, it should work unless the kernel was built without audit full support. It might also be that if the audit system is disabled, it won't load rules. So, I'd try that. The code is very old and behaviors have changed over the years (both kernel and user space). -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: operation not supported on filtering 2018-12-03 17:55 ` Steve Grubb @ 2018-12-03 19:13 ` Vincent Fiset 2018-12-04 14:26 ` Vincent Fiset 0 siblings, 1 reply; 8+ messages in thread From: Vincent Fiset @ 2018-12-03 19:13 UTC (permalink / raw) To: sgrubb; +Cc: linux-audit > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > I got a minimal audit.rules file containing: > > > > # cat -n /etc/audit/audit.rules > > 1 -D > > 2 > > 3 -b 8192 > > 4 > > 5 -e 0 > > Why are you ^^^ disabling the audit system? You may want to try commenting > that out. I tired to add that to make sure it was not preventing me to add the filters on msgtype. Normally I use `-e 1` > > > 7 -a always,exclude -F msgtype=CWD > > 8 > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > When I restart auditd I get: > > > > # /etc/init.d/auditd restart > > Restarting audit daemon: auditd Error sending add rule request > > (Operation not supported) > > There was an error in line 7 of /etc/audit/audit.rules > > failed! > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > popular in example all over the internet. I don't understand why I get the > > error. > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > What should I do to make this filter work? > > Support for msgtype on the exclude filter goes all the way back to 2005. So, > it should work unless the kernel was built without audit full support. It > might also be that if the audit system is disabled, it won't load rules. So, > I'd try that. The code is very old and behaviors have changed over the years > (both kernel and user space). Thanks for the input on that I will try to figure out how to determine if it was built with audit full support. Any tips on how to achieve that are welcome. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: operation not supported on filtering 2018-12-03 19:13 ` Vincent Fiset @ 2018-12-04 14:26 ` Vincent Fiset 2018-12-04 14:51 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: Vincent Fiset @ 2018-12-04 14:26 UTC (permalink / raw) To: sgrubb; +Cc: linux-audit $ zgrep -i audi /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 # CONFIG_KVM_MMU_AUDIT is not set # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > > I got a minimal audit.rules file containing: > > > > > > # cat -n /etc/audit/audit.rules > > > 1 -D > > > 2 > > > 3 -b 8192 > > > 4 > > > 5 -e 0 > > > > Why are you ^^^ disabling the audit system? You may want to try commenting > > that out. > > I tired to add that to make sure it was not preventing me to add the > filters on msgtype. Normally I use `-e 1` > > > > > > 7 -a always,exclude -F msgtype=CWD > > > 8 > > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > > > When I restart auditd I get: > > > > > > # /etc/init.d/auditd restart > > > Restarting audit daemon: auditd Error sending add rule request > > > (Operation not supported) > > > There was an error in line 7 of /etc/audit/audit.rules > > > failed! > > > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > > popular in example all over the internet. I don't understand why I get the > > > error. > > > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > > > What should I do to make this filter work? > > > > Support for msgtype on the exclude filter goes all the way back to 2005. So, > > it should work unless the kernel was built without audit full support. It > > might also be that if the audit system is disabled, it won't load rules. So, > > I'd try that. The code is very old and behaviors have changed over the years > > (both kernel and user space). > > Thanks for the input on that I will try to figure out how to determine > if it was built with audit full support. Any tips on how to achieve > that are welcome. here are the flags that I see in proc/config: $ zgrep -i audi /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 # CONFIG_KVM_MMU_AUDIT is not set # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set At this point I am unsure if it's all needed to claim it was built with audit full support. Anything else I should check? On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset <vfiset@gmail.com> wrote: > > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > > I got a minimal audit.rules file containing: > > > > > > # cat -n /etc/audit/audit.rules > > > 1 -D > > > 2 > > > 3 -b 8192 > > > 4 > > > 5 -e 0 > > > > Why are you ^^^ disabling the audit system? You may want to try commenting > > that out. > > I tired to add that to make sure it was not preventing me to add the > filters on msgtype. Normally I use `-e 1` > > > > > > 7 -a always,exclude -F msgtype=CWD > > > 8 > > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > > > When I restart auditd I get: > > > > > > # /etc/init.d/auditd restart > > > Restarting audit daemon: auditd Error sending add rule request > > > (Operation not supported) > > > There was an error in line 7 of /etc/audit/audit.rules > > > failed! > > > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > > popular in example all over the internet. I don't understand why I get the > > > error. > > > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > > > What should I do to make this filter work? > > > > Support for msgtype on the exclude filter goes all the way back to 2005. So, > > it should work unless the kernel was built without audit full support. It > > might also be that if the audit system is disabled, it won't load rules. So, > > I'd try that. The code is very old and behaviors have changed over the years > > (both kernel and user space). > > Thanks for the input on that I will try to figure out how to determine > if it was built with audit full support. Any tips on how to achieve > that are welcome. -- /VF ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: operation not supported on filtering 2018-12-04 14:26 ` Vincent Fiset @ 2018-12-04 14:51 ` Steve Grubb 2018-12-04 15:15 ` Vincent Fiset 0 siblings, 1 reply; 8+ messages in thread From: Steve Grubb @ 2018-12-04 14:51 UTC (permalink / raw) To: Vincent Fiset; +Cc: linux-audit On Tuesday, December 4, 2018 9:26:29 AM EST Vincent Fiset wrote: > here are the flags that I see in proc/config: > > $ zgrep -i audi /proc/config.gz > CONFIG_AUDIT_ARCH=y > CONFIG_AUDIT=y > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > CONFIG_AUDITSYSCALL=y > CONFIG_AUDIT_WATCH=y > CONFIG_AUDIT_TREE=y > CONFIG_NETFILTER_XT_TARGET_AUDIT=m > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 > # CONFIG_KVM_MMU_AUDIT is not set > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > At this point I am unsure if it's all needed to claim it was built > with audit full support. Anything else I should check? Offhand that looks like all the settings. If you modify line 5 to enable the audit system and then comment out the rule at line 7, does it work when you restart? If that works, then you might want to strace loading that rule by command line. strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 -Steve > On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset <vfiset@gmail.com> wrote: > > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > > > I got a minimal audit.rules file containing: > > > > # cat -n /etc/audit/audit.rules > > > > 1 -D > > > > 2 > > > > 3 -b 8192 > > > > 4 > > > > 5 -e 0 > > > > > > Why are you ^^^ disabling the audit system? You may want to try > > > commenting > > > that out. > > > > I tired to add that to make sure it was not preventing me to add the > > filters on msgtype. Normally I use `-e 1` > > > > > > 7 -a always,exclude -F msgtype=CWD > > > > 8 > > > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > > > > > When I restart auditd I get: > > > > # /etc/init.d/auditd restart > > > > Restarting audit daemon: auditd Error sending add rule request > > > > > > > > (Operation not supported) > > > > > > > > There was an error in line 7 of /etc/audit/audit.rules > > > > > > > > failed! > > > > > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > > > popular in example all over the internet. I don't understand why I > > > > get the > > > > error. > > > > > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > > > > > What should I do to make this filter work? > > > > > > Support for msgtype on the exclude filter goes all the way back to > > > 2005. So, it should work unless the kernel was built without audit > > > full support. It might also be that if the audit system is disabled, > > > it won't load rules. So, I'd try that. The code is very old and > > > behaviors have changed over the years (both kernel and user space). > > > > Thanks for the input on that I will try to figure out how to determine > > if it was built with audit full support. Any tips on how to achieve > > that are welcome. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: operation not supported on filtering 2018-12-04 14:51 ` Steve Grubb @ 2018-12-04 15:15 ` Vincent Fiset 2018-12-04 16:09 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: Vincent Fiset @ 2018-12-04 15:15 UTC (permalink / raw) To: sgrubb; +Cc: linux-audit > > here are the flags that I see in proc/config: > > > > $ zgrep -i audi /proc/config.gz > > CONFIG_AUDIT_ARCH=y > > CONFIG_AUDIT=y > > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > > CONFIG_AUDITSYSCALL=y > > CONFIG_AUDIT_WATCH=y > > CONFIG_AUDIT_TREE=y > > CONFIG_NETFILTER_XT_TARGET_AUDIT=m > > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 > > # CONFIG_KVM_MMU_AUDIT is not set > > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > > > At this point I am unsure if it's all needed to claim it was built > > with audit full support. Anything else I should check? > > Offhand that looks like all the settings. If you modify line 5 to enable the > audit system and then comment out the rule at line 7, does it work when you > restart? > > If that works, then you might want to strace loading that rule by command > line. > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 Unfortunately I already tried that before, strace was not revealing anything obvious (for me at least) here is the output if ever you see something: $ cat -n /etc/audit/audit.rules 1 -D 2 3 -b 8192 4 5 #-e 1 6 7 #-a exclude,never -F msgtype=CWD 8 9 -w /etc/sysctl.conf -p wa -k sysctl $ /etc/init.d/auditd restart Restarting audit daemon: auditd. $ auditctl -l LIST_RULES: exit,always watch=/etc/sysctl.conf perm=wa key=sysctl $ strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 $ cat log execve("/sbin/auditctl", ["/sbin/auditctl", "-a", "always,exclude", "-F", "msgtype=CWD"], [/* 19 vars */]) = 0 brk(0) = 0x226b000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9339141000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=18800, ...}) = 0 mmap(NULL, 18800, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f933913c000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\\\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=131107, ...}) = 0 mmap(NULL, 2208672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9338d08000 mprotect(0x7f9338d1f000, 2093056, PROT_NONE) = 0 mmap(0x7f9338f1e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f9338f1e000 mmap(0x7f9338f20000, 13216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9338f20000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\357\1\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1607696, ...}) = 0 mmap(NULL, 3721272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f933897b000 mprotect(0x7f9338aff000, 2093056, PROT_NONE) = 0 mmap(0x7f9338cfe000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x183000) = 0x7f9338cfe000 mmap(0x7f9338d03000, 18488, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9338d03000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f933913b000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f933913a000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9339139000 arch_prctl(ARCH_SET_FS, 0x7f933913a700) = 0 mprotect(0x7f9338cfe000, 16384, PROT_READ) = 0 mprotect(0x7f9338f1e000, 4096, PROT_READ) = 0 mprotect(0x7f9339143000, 4096, PROT_READ) = 0 munmap(0x7f933913c000, 18800) = 0 set_tid_address(0x7f933913a9d0) = 26861 set_robust_list(0x7f933913a9e0, 0x18) = 0 futex(0x7ffe952c57fc, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f933913a700) = -1 EAGAIN (Resource temporarily unavailable) rt_sigaction(SIGRTMIN, {0x7f9338d0dad0, [], SA_RESTORER|SA_SIGINFO, 0x7f9338d170a0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x7f9338d0db60, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f9338d170a0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=8192*1024}) = 0 getuid() = 0 socket(PF_NETLINK, SOCK_RAW, 9) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 brk(0) = 0x226b000 brk(0x228c000) = 0x228c000 socket(PF_NETLINK, SOCK_RAW, 9) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 sendto(4, "\20\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0", 16, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16 poll([{fd=4, events=POLLIN}], 1, 500) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "$\0\0\0\2\0\0\0\1\0\0\0\355h\0\0\0\0\0\0\20\0\0\0\350\3\5\0\1\0\0\0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 recvfrom(4, "$\0\0\0\2\0\0\0\1\0\0\0\355h\0\0\0\0\0\0\20\0\0\0\350\3\5\0\1\0\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 poll([{fd=4, events=POLLIN}], 1, 100) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "8\0\0\0\350\3\0\0\1\0\0\0\355h\0\0\0\0\0\0\1\0\0\0\1\0\0\0$c\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 56 sendto(4, "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\1\0\0\0\377\377\377\377"..., 796, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 796 poll([{fd=4, events=POLLIN}], 1, 500) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0\0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 816 recvfrom(4, "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 816 write(2, "Error sending add rule request ("..., 56Error sending add rule request (Operation not supported)) = 56 write(2, "\n", 1 ) = 1 close(4) = 0 exit_group(-1) = ? On Tue, Dec 4, 2018 at 9:51 AM Steve Grubb <sgrubb@redhat.com> wrote: > > On Tuesday, December 4, 2018 9:26:29 AM EST Vincent Fiset wrote: > > here are the flags that I see in proc/config: > > > > $ zgrep -i audi /proc/config.gz > > CONFIG_AUDIT_ARCH=y > > CONFIG_AUDIT=y > > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > > CONFIG_AUDITSYSCALL=y > > CONFIG_AUDIT_WATCH=y > > CONFIG_AUDIT_TREE=y > > CONFIG_NETFILTER_XT_TARGET_AUDIT=m > > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 > > # CONFIG_KVM_MMU_AUDIT is not set > > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > > > At this point I am unsure if it's all needed to claim it was built > > with audit full support. Anything else I should check? > > Offhand that looks like all the settings. If you modify line 5 to enable the > audit system and then comment out the rule at line 7, does it work when you > restart? > > If that works, then you might want to strace loading that rule by command > line. > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 > > -Steve > > > > On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset <vfiset@gmail.com> wrote: > > > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > > > > I got a minimal audit.rules file containing: > > > > > # cat -n /etc/audit/audit.rules > > > > > 1 -D > > > > > 2 > > > > > 3 -b 8192 > > > > > 4 > > > > > 5 -e 0 > > > > > > > > Why are you ^^^ disabling the audit system? You may want to try > > > > commenting > > > > that out. > > > > > > I tired to add that to make sure it was not preventing me to add the > > > filters on msgtype. Normally I use `-e 1` > > > > > > > > 7 -a always,exclude -F msgtype=CWD > > > > > 8 > > > > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > > > > > > > When I restart auditd I get: > > > > > # /etc/init.d/auditd restart > > > > > Restarting audit daemon: auditd Error sending add rule request > > > > > > > > > > (Operation not supported) > > > > > > > > > > There was an error in line 7 of /etc/audit/audit.rules > > > > > > > > > > failed! > > > > > > > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > > > > popular in example all over the internet. I don't understand why I > > > > > get the > > > > > error. > > > > > > > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > > > > > > > What should I do to make this filter work? > > > > > > > > Support for msgtype on the exclude filter goes all the way back to > > > > 2005. So, it should work unless the kernel was built without audit > > > > full support. It might also be that if the audit system is disabled, > > > > it won't load rules. So, I'd try that. The code is very old and > > > > behaviors have changed over the years (both kernel and user space). > > > > > > Thanks for the input on that I will try to figure out how to determine > > > if it was built with audit full support. Any tips on how to achieve > > > that are welcome. > > > > -- /VF ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: operation not supported on filtering 2018-12-04 15:15 ` Vincent Fiset @ 2018-12-04 16:09 ` Steve Grubb 2018-12-04 16:12 ` Vincent Fiset 0 siblings, 1 reply; 8+ messages in thread From: Steve Grubb @ 2018-12-04 16:09 UTC (permalink / raw) To: Vincent Fiset; +Cc: linux-audit On Tuesday, December 4, 2018 10:15:47 AM EST Vincent Fiset wrote: > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 > > Unfortunately I already tried that before, strace was not revealing > anything obvious (for me at least) There's info in there. > sendto(4, > "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\1\0\0\0\377\377\377\3 > 77"..., 796, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 796 > poll([{fd=4, events=POLLIN}], 1, 500) = 1 ([{fd=4, revents=POLLIN}]) > recvfrom(4, > "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0 > \0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, > groups=00000000}, [12]) = 816 > recvfrom(4, > "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0 > \0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, This ^^^ is the part to interpret: 0\3\0\0\ - length 2\0 - msg type NLMSG_ERROR \0\0 - flags \2\0\0\0 - seq number \355h\0\0\0 - pid \241\377\377\377 - errno EOPNOTSUPP So...your kernel is not supporting this. You'd need to dig through the kernel source to find this. I don't think I can help much past this point as I'm not familiar with the Debian kernels. -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: operation not supported on filtering 2018-12-04 16:09 ` Steve Grubb @ 2018-12-04 16:12 ` Vincent Fiset 0 siblings, 0 replies; 8+ messages in thread From: Vincent Fiset @ 2018-12-04 16:12 UTC (permalink / raw) To: sgrubb; +Cc: linux-audit > So...your kernel is not supporting this. You'd need to dig through the kernel source to find this. I don't think I can help much past this point as I'm not familiar with the Debian kernels. Thanks for the confirmation you helped me a lot On Tue, Dec 4, 2018 at 11:09 AM Steve Grubb <sgrubb@redhat.com> wrote: > > On Tuesday, December 4, 2018 10:15:47 AM EST Vincent Fiset wrote: > > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 > > > > Unfortunately I already tried that before, strace was not revealing > > anything obvious (for me at least) > > There's info in there. > > > sendto(4, > > "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\1\0\0\0\377\377\377\3 > > 77"..., 796, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 796 > > poll([{fd=4, events=POLLIN}], 1, 500) = 1 ([{fd=4, revents=POLLIN}]) > > recvfrom(4, > > "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0 > > \0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, > > groups=00000000}, [12]) = 816 > > recvfrom(4, > > "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0 > > \0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, > > This ^^^ is the part to interpret: > > 0\3\0\0\ - length > 2\0 - msg type NLMSG_ERROR > \0\0 - flags > \2\0\0\0 - seq number > \355h\0\0\0 - pid > \241\377\377\377 - errno EOPNOTSUPP > > So...your kernel is not supporting this. You'd need to dig through the kernel > source to find this. I don't think I can help much past this point as I'm not > familiar with the Debian kernels. > > -Steve > > -- /VF ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-12-04 16:12 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-12-03 17:26 operation not supported on filtering Vincent Fiset 2018-12-03 17:55 ` Steve Grubb 2018-12-03 19:13 ` Vincent Fiset 2018-12-04 14:26 ` Vincent Fiset 2018-12-04 14:51 ` Steve Grubb 2018-12-04 15:15 ` Vincent Fiset 2018-12-04 16:09 ` Steve Grubb 2018-12-04 16:12 ` Vincent Fiset
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.