From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vincent Fiset Subject: Re: operation not supported on filtering Date: Tue, 4 Dec 2018 09:26:29 -0500 Message-ID: References: <2563573.dAWe7hevjM@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: sgrubb@redhat.com Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com $ zgrep -i audi /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 # CONFIG_KVM_MMU_AUDIT is not set # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > > I got a minimal audit.rules file containing: > > > > > > # cat -n /etc/audit/audit.rules > > > 1 -D > > > 2 > > > 3 -b 8192 > > > 4 > > > 5 -e 0 > > > > Why are you ^^^ disabling the audit system? You may want to try commenting > > that out. > > I tired to add that to make sure it was not preventing me to add the > filters on msgtype. Normally I use `-e 1` > > > > > > 7 -a always,exclude -F msgtype=CWD > > > 8 > > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > > > When I restart auditd I get: > > > > > > # /etc/init.d/auditd restart > > > Restarting audit daemon: auditd Error sending add rule request > > > (Operation not supported) > > > There was an error in line 7 of /etc/audit/audit.rules > > > failed! > > > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > > popular in example all over the internet. I don't understand why I get the > > > error. > > > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > > > What should I do to make this filter work? > > > > Support for msgtype on the exclude filter goes all the way back to 2005. So, > > it should work unless the kernel was built without audit full support. It > > might also be that if the audit system is disabled, it won't load rules. So, > > I'd try that. The code is very old and behaviors have changed over the years > > (both kernel and user space). > > Thanks for the input on that I will try to figure out how to determine > if it was built with audit full support. Any tips on how to achieve > that are welcome. here are the flags that I see in proc/config: $ zgrep -i audi /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 # CONFIG_KVM_MMU_AUDIT is not set # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set At this point I am unsure if it's all needed to claim it was built with audit full support. Anything else I should check? On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset wrote: > > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > > I got a minimal audit.rules file containing: > > > > > > # cat -n /etc/audit/audit.rules > > > 1 -D > > > 2 > > > 3 -b 8192 > > > 4 > > > 5 -e 0 > > > > Why are you ^^^ disabling the audit system? You may want to try commenting > > that out. > > I tired to add that to make sure it was not preventing me to add the > filters on msgtype. Normally I use `-e 1` > > > > > > 7 -a always,exclude -F msgtype=CWD > > > 8 > > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > > > When I restart auditd I get: > > > > > > # /etc/init.d/auditd restart > > > Restarting audit daemon: auditd Error sending add rule request > > > (Operation not supported) > > > There was an error in line 7 of /etc/audit/audit.rules > > > failed! > > > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > > popular in example all over the internet. I don't understand why I get the > > > error. > > > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > > > What should I do to make this filter work? > > > > Support for msgtype on the exclude filter goes all the way back to 2005. So, > > it should work unless the kernel was built without audit full support. It > > might also be that if the audit system is disabled, it won't load rules. So, > > I'd try that. The code is very old and behaviors have changed over the years > > (both kernel and user space). > > Thanks for the input on that I will try to figure out how to determine > if it was built with audit full support. Any tips on how to achieve > that are welcome. -- /VF