All of lore.kernel.org
 help / color / mirror / Atom feed
* Bad Rule?
@ 2021-07-08 14:26 warron.french
  2021-07-08 15:07 ` Steve Grubb
  0 siblings, 1 reply; 7+ messages in thread
From: warron.french @ 2021-07-08 14:26 UTC (permalink / raw)
  To: Linux Audit


[-- Attachment #1.1: Type: text/plain, Size: 525 bytes --]

I am required to place the following rule into my audit configurations, but
when I do auditd will stop loading rules from this particular rule forward
to the end.

-a always,exit  -F path= /etc/NetworkManager/  -F perm=wa  -F
key=system-locale

The rule immediately above it was:
-a  exit,never -F dir=/usr/local/share/macrovision/storage -k exclude

If I hash out the syntax including NetworkManager all rules load, but
unhashed it stops loading rules from that point to the end.



--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 911 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Bad Rule?
  2021-07-08 14:26 Bad Rule? warron.french
@ 2021-07-08 15:07 ` Steve Grubb
  2021-07-08 17:33   ` warron.french
  0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2021-07-08 15:07 UTC (permalink / raw)
  To: linux-audit

On Thursday, July 8, 2021 10:26:57 AM EDT warron.french wrote:
> I am required to place the following rule into my audit configurations, but
> when I do auditd will stop loading rules from this particular rule forward
> to the end.
> 
> -a always,exit  -F path= /etc/NetworkManager/  -F perm=wa  -F
> key=system-locale

There is a space between path=  and /etc. Usually systemd puts auditctl 
messages in syslog/journal.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Bad Rule?
  2021-07-08 15:07 ` Steve Grubb
@ 2021-07-08 17:33   ` warron.french
  2021-07-08 18:46     ` Richard Guy Briggs
  0 siblings, 1 reply; 7+ messages in thread
From: warron.french @ 2021-07-08 17:33 UTC (permalink / raw)
  To: Steve Grubb; +Cc: Linux Audit


[-- Attachment #1.1: Type: text/plain, Size: 828 bytes --]

Ah! that was a typo in my email typing, since I could not copy paste from
where the syntax was to my email I was typing.

Thanks Steve.
--------------------------
Warron French



On Thu, Jul 8, 2021 at 11:11 AM Steve Grubb <sgrubb@redhat.com> wrote:

> On Thursday, July 8, 2021 10:26:57 AM EDT warron.french wrote:
> > I am required to place the following rule into my audit configurations,
> but
> > when I do auditd will stop loading rules from this particular rule
> forward
> > to the end.
> >
> > -a always,exit  -F path= /etc/NetworkManager/  -F perm=wa  -F
> > key=system-locale
>
> There is a space between path=  and /etc. Usually systemd puts auditctl
> messages in syslog/journal.
>
> -Steve
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
>
>

[-- Attachment #1.2: Type: text/html, Size: 1609 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Bad Rule?
  2021-07-08 17:33   ` warron.french
@ 2021-07-08 18:46     ` Richard Guy Briggs
  2021-07-08 19:00       ` warron.french
  2021-07-08 19:05       ` Steve Grubb
  0 siblings, 2 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2021-07-08 18:46 UTC (permalink / raw)
  To: warron.french; +Cc: Linux Audit

On 2021-07-08 13:33, warron.french wrote:
> Ah! that was a typo in my email typing, since I could not copy paste from
> where the syntax was to my email I was typing.

Could it be you are trying to add a directory with a path field?

> Thanks Steve.
> --------------------------
> Warron French
> 
> On Thu, Jul 8, 2021 at 11:11 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Thursday, July 8, 2021 10:26:57 AM EDT warron.french wrote:
> > > I am required to place the following rule into my audit configurations,
> > but
> > > when I do auditd will stop loading rules from this particular rule
> > forward
> > > to the end.
> > >
> > > -a always,exit  -F path= /etc/NetworkManager/  -F perm=wa  -F
> > > key=system-locale

-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale

> > There is a space between path=  and /etc. Usually systemd puts auditctl
> > messages in syslog/journal.
> >
> > -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Bad Rule?
  2021-07-08 18:46     ` Richard Guy Briggs
@ 2021-07-08 19:00       ` warron.french
  2021-07-08 19:05       ` Steve Grubb
  1 sibling, 0 replies; 7+ messages in thread
From: warron.french @ 2021-07-08 19:00 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: Linux Audit


[-- Attachment #1.1: Type: text/plain, Size: 1321 bytes --]

Yes!
--------------------------
Warron French



On Thu, Jul 8, 2021 at 2:47 PM Richard Guy Briggs <rgb@redhat.com> wrote:

> On 2021-07-08 13:33, warron.french wrote:
> > Ah! that was a typo in my email typing, since I could not copy paste from
> > where the syntax was to my email I was typing.
>
> Could it be you are trying to add a directory with a path field?
>
> > Thanks Steve.
> > --------------------------
> > Warron French
> >
> > On Thu, Jul 8, 2021 at 11:11 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Thursday, July 8, 2021 10:26:57 AM EDT warron.french wrote:
> > > > I am required to place the following rule into my audit
> configurations,
> > > but
> > > > when I do auditd will stop loading rules from this particular rule
> > > forward
> > > > to the end.
> > > >
> > > > -a always,exit  -F path= /etc/NetworkManager/  -F perm=wa  -F
> > > > key=system-locale
>
> -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
>
> > > There is a space between path=  and /etc. Usually systemd puts auditctl
> > > messages in syslog/journal.
> > >
> > > -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>

[-- Attachment #1.2: Type: text/html, Size: 2194 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Bad Rule?
  2021-07-08 18:46     ` Richard Guy Briggs
  2021-07-08 19:00       ` warron.french
@ 2021-07-08 19:05       ` Steve Grubb
  2021-07-08 19:33         ` warron.french
  1 sibling, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2021-07-08 19:05 UTC (permalink / raw)
  To: warron.french, Richard Guy Briggs; +Cc: Linux Audit

On Thursday, July 8, 2021 2:46:40 PM EDT Richard Guy Briggs wrote:
> On 2021-07-08 13:33, warron.french wrote:
> > Ah! that was a typo in my email typing, since I could not copy paste from
> > where the syntax was to my email I was typing.
> 
> Could it be you are trying to add a directory with a path field?

That's not exactly a problem if you intend to watch the directory itself. 
Placing a watch with dir does not actually include changes to entries in the 
dirtectory itself, but rather the files contained by it.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Bad Rule?
  2021-07-08 19:05       ` Steve Grubb
@ 2021-07-08 19:33         ` warron.french
  0 siblings, 0 replies; 7+ messages in thread
From: warron.french @ 2021-07-08 19:33 UTC (permalink / raw)
  To: Steve Grubb; +Cc: Richard Guy Briggs, Linux Audit


[-- Attachment #1.1: Type: text/plain, Size: 761 bytes --]

Ok, thanks. I was supposed to use "dir=" though according to the rules
directed to me.

--------------------------
Warron French



On Thu, Jul 8, 2021 at 3:05 PM Steve Grubb <sgrubb@redhat.com> wrote:

> On Thursday, July 8, 2021 2:46:40 PM EDT Richard Guy Briggs wrote:
> > On 2021-07-08 13:33, warron.french wrote:
> > > Ah! that was a typo in my email typing, since I could not copy paste
> from
> > > where the syntax was to my email I was typing.
> >
> > Could it be you are trying to add a directory with a path field?
>
> That's not exactly a problem if you intend to watch the directory itself.
> Placing a watch with dir does not actually include changes to entries in
> the
> dirtectory itself, but rather the files contained by it.
>
> -Steve
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 1368 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-07-08 19:34 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-08 14:26 Bad Rule? warron.french
2021-07-08 15:07 ` Steve Grubb
2021-07-08 17:33   ` warron.french
2021-07-08 18:46     ` Richard Guy Briggs
2021-07-08 19:00       ` warron.french
2021-07-08 19:05       ` Steve Grubb
2021-07-08 19:33         ` warron.french

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.