From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vincent Fiset Subject: Re: operation not supported on filtering Date: Tue, 4 Dec 2018 10:15:47 -0500 Message-ID: References: <5203097.zTRibRSirQ@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5203097.zTRibRSirQ@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: sgrubb@redhat.com Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com > > here are the flags that I see in proc/config: > > > > $ zgrep -i audi /proc/config.gz > > CONFIG_AUDIT_ARCH=y > > CONFIG_AUDIT=y > > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > > CONFIG_AUDITSYSCALL=y > > CONFIG_AUDIT_WATCH=y > > CONFIG_AUDIT_TREE=y > > CONFIG_NETFILTER_XT_TARGET_AUDIT=m > > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 > > # CONFIG_KVM_MMU_AUDIT is not set > > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > > > At this point I am unsure if it's all needed to claim it was built > > with audit full support. Anything else I should check? > > Offhand that looks like all the settings. If you modify line 5 to enable the > audit system and then comment out the rule at line 7, does it work when you > restart? > > If that works, then you might want to strace loading that rule by command > line. > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 Unfortunately I already tried that before, strace was not revealing anything obvious (for me at least) here is the output if ever you see something: $ cat -n /etc/audit/audit.rules 1 -D 2 3 -b 8192 4 5 #-e 1 6 7 #-a exclude,never -F msgtype=CWD 8 9 -w /etc/sysctl.conf -p wa -k sysctl $ /etc/init.d/auditd restart Restarting audit daemon: auditd. $ auditctl -l LIST_RULES: exit,always watch=/etc/sysctl.conf perm=wa key=sysctl $ strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 $ cat log execve("/sbin/auditctl", ["/sbin/auditctl", "-a", "always,exclude", "-F", "msgtype=CWD"], [/* 19 vars */]) = 0 brk(0) = 0x226b000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9339141000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=18800, ...}) = 0 mmap(NULL, 18800, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f933913c000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\\\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=131107, ...}) = 0 mmap(NULL, 2208672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9338d08000 mprotect(0x7f9338d1f000, 2093056, PROT_NONE) = 0 mmap(0x7f9338f1e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f9338f1e000 mmap(0x7f9338f20000, 13216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9338f20000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\357\1\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1607696, ...}) = 0 mmap(NULL, 3721272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f933897b000 mprotect(0x7f9338aff000, 2093056, PROT_NONE) = 0 mmap(0x7f9338cfe000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x183000) = 0x7f9338cfe000 mmap(0x7f9338d03000, 18488, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9338d03000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f933913b000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f933913a000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9339139000 arch_prctl(ARCH_SET_FS, 0x7f933913a700) = 0 mprotect(0x7f9338cfe000, 16384, PROT_READ) = 0 mprotect(0x7f9338f1e000, 4096, PROT_READ) = 0 mprotect(0x7f9339143000, 4096, PROT_READ) = 0 munmap(0x7f933913c000, 18800) = 0 set_tid_address(0x7f933913a9d0) = 26861 set_robust_list(0x7f933913a9e0, 0x18) = 0 futex(0x7ffe952c57fc, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f933913a700) = -1 EAGAIN (Resource temporarily unavailable) rt_sigaction(SIGRTMIN, {0x7f9338d0dad0, [], SA_RESTORER|SA_SIGINFO, 0x7f9338d170a0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x7f9338d0db60, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f9338d170a0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=8192*1024}) = 0 getuid() = 0 socket(PF_NETLINK, SOCK_RAW, 9) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 brk(0) = 0x226b000 brk(0x228c000) = 0x228c000 socket(PF_NETLINK, SOCK_RAW, 9) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 sendto(4, "\20\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0", 16, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16 poll([{fd=4, events=POLLIN}], 1, 500) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "$\0\0\0\2\0\0\0\1\0\0\0\355h\0\0\0\0\0\0\20\0\0\0\350\3\5\0\1\0\0\0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 recvfrom(4, "$\0\0\0\2\0\0\0\1\0\0\0\355h\0\0\0\0\0\0\20\0\0\0\350\3\5\0\1\0\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 poll([{fd=4, events=POLLIN}], 1, 100) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "8\0\0\0\350\3\0\0\1\0\0\0\355h\0\0\0\0\0\0\1\0\0\0\1\0\0\0$c\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 56 sendto(4, "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\1\0\0\0\377\377\377\377"..., 796, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 796 poll([{fd=4, events=POLLIN}], 1, 500) = 1 ([{fd=4, revents=POLLIN}]) recvfrom(4, "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0\0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 816 recvfrom(4, "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 816 write(2, "Error sending add rule request ("..., 56Error sending add rule request (Operation not supported)) = 56 write(2, "\n", 1 ) = 1 close(4) = 0 exit_group(-1) = ? On Tue, Dec 4, 2018 at 9:51 AM Steve Grubb wrote: > > On Tuesday, December 4, 2018 9:26:29 AM EST Vincent Fiset wrote: > > here are the flags that I see in proc/config: > > > > $ zgrep -i audi /proc/config.gz > > CONFIG_AUDIT_ARCH=y > > CONFIG_AUDIT=y > > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > > CONFIG_AUDITSYSCALL=y > > CONFIG_AUDIT_WATCH=y > > CONFIG_AUDIT_TREE=y > > CONFIG_NETFILTER_XT_TARGET_AUDIT=m > > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 > > # CONFIG_KVM_MMU_AUDIT is not set > > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > > > At this point I am unsure if it's all needed to claim it was built > > with audit full support. Anything else I should check? > > Offhand that looks like all the settings. If you modify line 5 to enable the > audit system and then comment out the rule at line 7, does it work when you > restart? > > If that works, then you might want to strace loading that rule by command > line. > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 > > -Steve > > > > On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset wrote: > > > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > > > > I got a minimal audit.rules file containing: > > > > > # cat -n /etc/audit/audit.rules > > > > > 1 -D > > > > > 2 > > > > > 3 -b 8192 > > > > > 4 > > > > > 5 -e 0 > > > > > > > > Why are you ^^^ disabling the audit system? You may want to try > > > > commenting > > > > that out. > > > > > > I tired to add that to make sure it was not preventing me to add the > > > filters on msgtype. Normally I use `-e 1` > > > > > > > > 7 -a always,exclude -F msgtype=CWD > > > > > 8 > > > > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > > > > > > > When I restart auditd I get: > > > > > # /etc/init.d/auditd restart > > > > > Restarting audit daemon: auditd Error sending add rule request > > > > > > > > > > (Operation not supported) > > > > > > > > > > There was an error in line 7 of /etc/audit/audit.rules > > > > > > > > > > failed! > > > > > > > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > > > > popular in example all over the internet. I don't understand why I > > > > > get the > > > > > error. > > > > > > > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > > > > > > > What should I do to make this filter work? > > > > > > > > Support for msgtype on the exclude filter goes all the way back to > > > > 2005. So, it should work unless the kernel was built without audit > > > > full support. It might also be that if the audit system is disabled, > > > > it won't load rules. So, I'd try that. The code is very old and > > > > behaviors have changed over the years (both kernel and user space). > > > > > > Thanks for the input on that I will try to figure out how to determine > > > if it was built with audit full support. Any tips on how to achieve > > > that are welcome. > > > > -- /VF