From mboxrd@z Thu Jan  1 00:00:00 1970
From: Vincent Fiset <vfiset@gmail.com>
Subject: Re: operation not supported on filtering
Date: Mon, 3 Dec 2018 14:13:57 -0500
Message-ID: <CA+P2B3YHKSYBVVgVA=jNPpS=2i4ve-fnk4Vve9SsBaiOn8PSEw@mail.gmail.com>
References: <CA+P2B3bkyZfnE45jKUMxCD-6SL381EMTYNsh538KaQnpZ5EH+Q@mail.gmail.com>
	<2563573.dAWe7hevjM@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2563573.dAWe7hevjM@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: sgrubb@redhat.com
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

> On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> > I got a minimal audit.rules file containing:
> >
> >     # cat -n /etc/audit/audit.rules
> >     1  -D
> >     2
> >     3  -b 8192
> >     4
> >     5  -e 0
>
> Why are you ^^^ disabling the audit system? You may want to try commenting
> that out.

I tired to add that to make sure it was not preventing me to add the
filters on msgtype. Normally I use `-e 1`

>
> >     7  -a always,exclude -F msgtype=CWD
> >     8
> >     9  -w /etc/sysctl.conf -p wa -k sysctl
> >
> > When I restart auditd I get:
> >
> >     # /etc/init.d/auditd restart
> >     Restarting audit daemon: auditd Error sending add rule request
> > (Operation not supported)
> >     There was an error in line 7 of /etc/audit/audit.rules
> >      failed!
> >
> > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > popular in example all over the internet. I don't understand why I get the
> > error.
> >
> > I use auditd `1:1.7.18-1.1` on debian 7
> >
> > What should I do to make this filter work?
>
> Support for msgtype on the exclude filter goes all the way back to 2005. So,
> it should work unless the kernel was built without audit full support. It
> might also be that if the audit system is disabled, it won't load rules. So,
> I'd try that. The code is very old and behaviors have changed over the years
> (both kernel and user space).

Thanks for the input on that I will try to figure out how to determine
if it was built with audit full support. Any tips on how to achieve
that are welcome.