* Duplicate settings?
@ 2020-01-20 14:24 Leam Hall
2020-01-20 14:37 ` Steve Grubb
0 siblings, 1 reply; 9+ messages in thread
From: Leam Hall @ 2020-01-20 14:24 UTC (permalink / raw)
To: linux-audit
If /etc/audit/auditd.conf encounters conflicting duplicate settings,
what happens? Takes the first, takes the last, or what? For example:
space_left = 25
space_left = 100
Thanks!
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings?
2020-01-20 14:24 Duplicate settings? Leam Hall
@ 2020-01-20 14:37 ` Steve Grubb
2020-01-20 15:00 ` Leam Hall
2020-01-20 15:04 ` Leam Hall
0 siblings, 2 replies; 9+ messages in thread
From: Steve Grubb @ 2020-01-20 14:37 UTC (permalink / raw)
To: linux-audit; +Cc: Leam Hall
On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote:
> If /etc/audit/auditd.conf encounters conflicting duplicate settings,
> what happens? Takes the first, takes the last, or what? For example:
>
> space_left = 25
> space_left = 100
It overwrites the first value with the second one. You can also run:
# service auditd state
to see what the current value is if your audit daemon is somewhat recent.
-Steve
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings?
2020-01-20 14:37 ` Steve Grubb
@ 2020-01-20 15:00 ` Leam Hall
2020-01-20 15:23 ` Steve Grubb
2020-01-20 15:04 ` Leam Hall
1 sibling, 1 reply; 9+ messages in thread
From: Leam Hall @ 2020-01-20 15:00 UTC (permalink / raw)
To: linux-audit
On 1/20/20 9:37 AM, Steve Grubb wrote:
> On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote:
>> If /etc/audit/auditd.conf encounters conflicting duplicate settings,
>> what happens? Takes the first, takes the last, or what? For example:
>>
>> space_left = 25
>> space_left = 100
>
> It overwrites the first value with the second one. You can also run:
>
> # service auditd state
>
> to see what the current value is if your audit daemon is somewhat recent.
Hey Steve, thanks! We're on the default RHEL/CentOS 7 auditd, and
"state" doesn't show space_left.
Leam
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings?
2020-01-20 14:37 ` Steve Grubb
2020-01-20 15:00 ` Leam Hall
@ 2020-01-20 15:04 ` Leam Hall
2020-01-20 15:14 ` Steve Grubb
1 sibling, 1 reply; 9+ messages in thread
From: Leam Hall @ 2020-01-20 15:04 UTC (permalink / raw)
To: linux-audit
On 1/20/20 9:37 AM, Steve Grubb wrote:
> On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote:
>> If /etc/audit/auditd.conf encounters conflicting duplicate settings,
>> what happens? Takes the first, takes the last, or what? For example:
>>
>> space_left = 25
>> space_left = 100
>
> It overwrites the first value with the second one. You can also run:
>
> # service auditd state
>
> to see what the current value is if your audit daemon is somewhat recent.
>
> -Steve
Hey Steve, a follow up. Is the man page for auditd.conf wrong? My auditd
failed to start when giving space_left with a '%' sign.
space_left
This is a numeric value in megabytes that tells the audit daemon
when to perform a configurable action because the system is
starting to run low on disk space. You may also append a percent
sign (e.g. 5%) to the number to have the audit daemon calculate
the number based on the disk partition size.
Thanks!
Leam
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings?
2020-01-20 15:04 ` Leam Hall
@ 2020-01-20 15:14 ` Steve Grubb
2020-01-20 15:19 ` Leam Hall
0 siblings, 1 reply; 9+ messages in thread
From: Steve Grubb @ 2020-01-20 15:14 UTC (permalink / raw)
To: linux-audit; +Cc: Leam Hall
On Monday, January 20, 2020 10:04:24 AM EST Leam Hall wrote:
> On 1/20/20 9:37 AM, Steve Grubb wrote:
> > On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote:
> >> If /etc/audit/auditd.conf encounters conflicting duplicate settings,
> >> what happens? Takes the first, takes the last, or what? For example:
> >>
> >> space_left = 25
> >> space_left = 100
> >
> > It overwrites the first value with the second one. You can also run:
> >
> > # service auditd state
> >
> > to see what the current value is if your audit daemon is somewhat recent.
> >
> > -Steve
>
> Hey Steve, a follow up. Is the man page for auditd.conf wrong? My auditd
> failed to start when giving space_left with a '%' sign.
Usually it writes the reason why in syslog. Does it say anything there?
-Steve
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings?
2020-01-20 15:14 ` Steve Grubb
@ 2020-01-20 15:19 ` Leam Hall
2020-01-20 15:28 ` Steve Grubb
0 siblings, 1 reply; 9+ messages in thread
From: Leam Hall @ 2020-01-20 15:19 UTC (permalink / raw)
To: linux-audit
On 1/20/20 10:14 AM, Steve Grubb wrote:
> On Monday, January 20, 2020 10:04:24 AM EST Leam Hall wrote:
>> On 1/20/20 9:37 AM, Steve Grubb wrote:
>>> On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote:
>>>> If /etc/audit/auditd.conf encounters conflicting duplicate settings,
>>>> what happens? Takes the first, takes the last, or what? For example:
>>>>
>>>> space_left = 25
>>>> space_left = 100
>>>
>>> It overwrites the first value with the second one. You can also run:
>>>
>>> # service auditd state
>>>
>>> to see what the current value is if your audit daemon is somewhat recent.
>>>
>>> -Steve
>>
>> Hey Steve, a follow up. Is the man page for auditd.conf wrong? My auditd
>> failed to start when giving space_left with a '%' sign.
>
> Usually it writes the reason why in syslog. Does it say anything there?
>
> -Steve
I don't grok systemd, so here's the whole response:
Redirecting to /bin/systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled;
vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2020-01-20 09:27:37
EST; 19min ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 2695 ExecStart=/sbin/auditd (code=exited, status=6)
Jan 20 09:27:36 leam_c7 systemd[1]: Starting Security Auditing Service...
Jan 20 09:27:37 leam_c7 auditd[2695]: Value 25% should only be numbers -
line 20
Jan 20 09:27:37 leam_c7 auditd[2695]: The audit daemon is exiting.
Jan 20 09:27:37 leam_c7 systemd[1]: auditd.service: control process
exited, code=exited status=6
Jan 20 09:27:37 leam_c7 systemd[1]: Failed to start Security Auditing
Service.
Jan 20 09:27:37 leam_c7 systemd[1]: Unit auditd.service entered failed
state.
Jan 20 09:27:37 leam_c7 systemd[1]: auditd.service failed.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings?
2020-01-20 15:00 ` Leam Hall
@ 2020-01-20 15:23 ` Steve Grubb
0 siblings, 0 replies; 9+ messages in thread
From: Steve Grubb @ 2020-01-20 15:23 UTC (permalink / raw)
To: linux-audit; +Cc: Leam Hall
On Monday, January 20, 2020 10:00:06 AM EST Leam Hall wrote:
> On 1/20/20 9:37 AM, Steve Grubb wrote:
> > On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote:
> >> If /etc/audit/auditd.conf encounters conflicting duplicate settings,
> >>
> >> what happens? Takes the first, takes the last, or what? For example:
> >> space_left = 25
> >> space_left = 100
> >
> > It overwrites the first value with the second one. You can also run:
> >
> > # service auditd state
> >
> > to see what the current value is if your audit daemon is somewhat recent.
>
> Hey Steve, thanks! We're on the default RHEL/CentOS 7 auditd, and
> "state" doesn't show space_left.
2.8.5 and later should have it. You have to be in daemon mode and write_logs
enabled.
-Steve
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings?
2020-01-20 15:19 ` Leam Hall
@ 2020-01-20 15:28 ` Steve Grubb
2020-01-20 15:38 ` Leam Hall
0 siblings, 1 reply; 9+ messages in thread
From: Steve Grubb @ 2020-01-20 15:28 UTC (permalink / raw)
To: linux-audit; +Cc: Leam Hall
On Monday, January 20, 2020 10:19:59 AM EST Leam Hall wrote:
> On 1/20/20 10:14 AM, Steve Grubb wrote:
> > On Monday, January 20, 2020 10:04:24 AM EST Leam Hall wrote:
> >> On 1/20/20 9:37 AM, Steve Grubb wrote:
> >>> On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote:
> >>>> If /etc/audit/auditd.conf encounters conflicting duplicate settings,
> >>>> what happens? Takes the first, takes the last, or what? For example:
> >>>>
> >>>> space_left = 25
> >>>> space_left = 100
> >>>
> >>> It overwrites the first value with the second one. You can also run:
> >>>
> >>> # service auditd state
> >>>
> >>> to see what the current value is if your audit daemon is somewhat
> >>> recent.
> >>
> >> Hey Steve, a follow up. Is the man page for auditd.conf wrong? My auditd
> >> failed to start when giving space_left with a '%' sign.
> >
> > Usually it writes the reason why in syslog. Does it say anything there?
>
> I don't grok systemd, so here's the whole response:
>
> Redirecting to /bin/systemctl status auditd.service
> ● auditd.service - Security Auditing Service
> Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled;
> vendor preset: enabled)
> Active: failed (Result: exit-code) since Mon 2020-01-20 09:27:37
> EST; 19min ago
> Docs: man:auditd(8)
> https://github.com/linux-audit/audit-documentation
> Process: 2695 ExecStart=/sbin/auditd (code=exited, status=6)
>
> Jan 20 09:27:36 leam_c7 systemd[1]: Starting Security Auditing Service...
> Jan 20 09:27:37 leam_c7 auditd[2695]: Value 25% should only be numbers -
> line 20
The issue is here ^^^ To use percentages, you have to be on 2.8.5 or later.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings?
2020-01-20 15:28 ` Steve Grubb
@ 2020-01-20 15:38 ` Leam Hall
0 siblings, 0 replies; 9+ messages in thread
From: Leam Hall @ 2020-01-20 15:38 UTC (permalink / raw)
To: linux-audit
On 1/20/20 10:28 AM, Steve Grubb wrote:
> On Monday, January 20, 2020 10:19:59 AM EST Leam Hall wrote:
>> On 1/20/20 10:14 AM, Steve Grubb wrote:
>>> On Monday, January 20, 2020 10:04:24 AM EST Leam Hall wrote:
>>>> On 1/20/20 9:37 AM, Steve Grubb wrote:
>>>>> On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote:
>>>>>> If /etc/audit/auditd.conf encounters conflicting duplicate settings,
>>>>>> what happens? Takes the first, takes the last, or what? For example:
>>>>>>
>>>>>> space_left = 25
>>>>>> space_left = 100
>>>>>
>>>>> It overwrites the first value with the second one. You can also run:
>>>>>
>>>>> # service auditd state
>>>>>
>>>>> to see what the current value is if your audit daemon is somewhat
>>>>> recent.
>>>>
>>>> Hey Steve, a follow up. Is the man page for auditd.conf wrong? My auditd
>>>> failed to start when giving space_left with a '%' sign.
>>>
>>> Usually it writes the reason why in syslog. Does it say anything there?
>>
>> I don't grok systemd, so here's the whole response:
>>
>> Redirecting to /bin/systemctl status auditd.service
>> ● auditd.service - Security Auditing Service
>> Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled;
>> vendor preset: enabled)
>> Active: failed (Result: exit-code) since Mon 2020-01-20 09:27:37
>> EST; 19min ago
>> Docs: man:auditd(8)
>> https://github.com/linux-audit/audit-documentation
>> Process: 2695 ExecStart=/sbin/auditd (code=exited, status=6)
>>
>> Jan 20 09:27:36 leam_c7 systemd[1]: Starting Security Auditing Service...
>> Jan 20 09:27:37 leam_c7 auditd[2695]: Value 25% should only be numbers -
>> line 20
>
> The issue is here ^^^ To use percentages, you have to be on 2.8.5 or later.
Ah, gotcha! I was using a rebuildable VM for testing, and hadn't
updated. Thanks!
Leam
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-01-20 15:38 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-20 14:24 Duplicate settings? Leam Hall
2020-01-20 14:37 ` Steve Grubb
2020-01-20 15:00 ` Leam Hall
2020-01-20 15:23 ` Steve Grubb
2020-01-20 15:04 ` Leam Hall
2020-01-20 15:14 ` Steve Grubb
2020-01-20 15:19 ` Leam Hall
2020-01-20 15:28 ` Steve Grubb
2020-01-20 15:38 ` Leam Hall
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.