From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vincent Fiset Subject: operation not supported on filtering Date: Mon, 3 Dec 2018 12:26:39 -0500 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1332735969220406452==" Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CE4C55C3FD for ; Mon, 3 Dec 2018 17:26:52 +0000 (UTC) Received: from mail-yb1-f175.google.com (mail-yb1-f175.google.com [209.85.219.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9E01888317 for ; Mon, 3 Dec 2018 17:26:51 +0000 (UTC) Received: by mail-yb1-f175.google.com with SMTP id s8so3449778ybe.9 for ; Mon, 03 Dec 2018 09:26:51 -0800 (PST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1332735969220406452== Content-Type: multipart/alternative; boundary="0000000000004d4f16057c21744c" --0000000000004d4f16057c21744c Content-Type: text/plain; charset="UTF-8" I got a minimal audit.rules file containing: # cat -n /etc/audit/audit.rules 1 -D 2 3 -b 8192 4 5 -e 0 6 7 -a always,exclude -F msgtype=CWD 8 9 -w /etc/sysctl.conf -p wa -k sysctl When I restart auditd I get: # /etc/init.d/auditd restart Restarting audit daemon: auditd Error sending add rule request (Operation not supported) There was an error in line 7 of /etc/audit/audit.rules failed! instructions like `-a always,exclude -F msgtype=CWD` seems to be very popular in example all over the internet. I don't understand why I get the error. I use auditd `1:1.7.18-1.1` on debian 7 What should I do to make this filter work? -- /VF --0000000000004d4f16057c21744c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

I got a minimal audit.rules file con= taining:

=C2=A0 =C2=A0 # cat -n /etc/audit/audit.r= ules

=C2=A0 =C2=A0 1=C2=A0 -D

=C2=A0 =C2=A0 2

=C2=A0 =C2=A0 3=C2=A0 -b 8192

=C2=A0 =C2=A0 4

=C2=A0 = =C2=A0 5=C2=A0 -e 0

=C2=A0 =C2=A0 6

=C2=A0 =C2=A0 7=C2= =A0 -a always,exclude -F msgtype=3DCWD

=C2=A0 =C2=A0 8

= =C2=A0 =C2=A0 9=C2=A0 -w /etc/sysctl.conf -p wa -k sysctl

When I restart auditd I get:

=C2=A0 =C2=A0= # /etc/init.d/auditd restart

=C2=A0 =C2=A0 Restarting audit daem= on: auditd Error sending add rule request (Operation not supported)

=C2=A0 =C2=A0 There was an error in line 7 of /etc/audit/audit.rules

=C2=A0 =C2=A0 =C2=A0failed!

instructions li= ke `-a always,exclude -F msgtype=3DCWD` seems to be very popular in example= all over the internet. I don't understand why I get the error.

I use auditd `1:1.7.18-1.1` on debian 7=C2=A0

<= br>

What should I do to make this filter work?

--

/VF

--0000000000004d4f16057c21744c-- --===============1332735969220406452== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1332735969220406452==--