* small patch for issue with rules that have been (incorrecly) copied from Windows
@ 2023-02-10 23:37 Carlos De Avillez
2023-04-13 16:23 ` Carlos De Avillez
0 siblings, 1 reply; 4+ messages in thread
From: Carlos De Avillez @ 2023-02-10 23:37 UTC (permalink / raw)
To: linux-audit
Hello,
We have had at least a few instances where customers configured audit rules on Windows, and then incorrectly
moved the resulting '.rules' files to Linux.
These files still had the Windows line terminator (CRLF). 'augenrules' read them without issues and generated the
/etc/audit/audit.rules file.
But on loading the new audit.rules, 'auditctl -R' will receive a bad return code, and stop loading the rules. The
resulting error is a bit on the cryptic side, and our customers do not seem to catch it easily.
The proposed fix is simple, and resolves the issue when using 'augenrules'. Of course, if someone generates
/etc/audit/audit.rules directly, it could still fail, but I understand that we are moving to using 'augenrules' by
default.
Patch (against current head) is below.
Cheers,
..Carlos..
From 4ccae6353500d3870d4da8905ed01d18d36b066a Mon Sep 17 00:00:00 2001
From: C de-Avillez <cadeavil@microsoft.com>
Date: Fri, 10 Feb 2023 17:16:09 -0600
Subject: [PATCH] augenrules: make sure no lines in *.rules ends in CRLF,
otherwise 'auditctl -R' will then fail to fully load the rules.
---
init.d/augenrules | 1 +
1 file changed, 1 insertion(+)
diff --git a/init.d/augenrules b/init.d/augenrules
index edb2199..f74c6e2 100644
--- a/init.d/augenrules
+++ b/init.d/augenrules
@@ -84,6 +84,7 @@ BEGIN {
minus_b = "";
rest = 0;
} {
+ sub(/\r$/, "");
if (length($0) < 1) { next; }
if (match($0, "^\\s*#")) { next; }
if (match($0, "^\\s*-e")) { minus_e = $0; next; }
--
2.34.1
Carlos
de Avillez
Senior
Escalation Engineer
Microsoft Azure Technical Support
Customer Service and Support
Office: +1 (469) 7753777
cadeavil@microsoft.com
Working
hours: 10:00-19:00
US Central Time
Next days off during August 2020: 3, 10, 17, 24, 31
If you need to work with another Support Engineer outside of my
working hours, please send email to azurebu@microsoft.com with
your case number, and availability.
We are always interested to hear your feedback. Please feel free
to reach my manager regarding the level of service you have received - spogge@microsoft.com
Microsoft
Azure | Azure
Status | Support
Plans | Create
a Case | Privacy
Policy
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: small patch for issue with rules that have been (incorrecly) copied from Windows
2023-02-10 23:37 small patch for issue with rules that have been (incorrecly) copied from Windows Carlos De Avillez
@ 2023-04-13 16:23 ` Carlos De Avillez
2023-04-13 18:50 ` Paul Moore
2023-04-14 14:50 ` Steve Grubb
0 siblings, 2 replies; 4+ messages in thread
From: Carlos De Avillez @ 2023-04-13 16:23 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 4356 bytes --]
Hello again,
Just checking is there is interest in the below.
Cheers,
Carlos de Avillez
Senior Escalation Engineer
Microsoft Azure Technical Support
Customer Service and Support
Office: +1 (469) 7753777
cadeavil@microsoft.com<mailto:cadeavil@microsoft.com>
Working hours: 10:00-19:00 US Central Time
Next days off during August 2020: 3, 10, 17, 24, 31
If you need to work with another Support Engineer outside of my working hours, please send email to azurebu@microsoft.com<mailto:azurebu@microsoft.com> with your case number, and availability.
We are always interested to hear your feedback. Please feel free to reach my manager regarding the level of service you have received - spogge@microsoft.com<mailto:spogge@microsoft.com>
[X]
Microsoft Azure<https://azure.microsoft.com/en-us/> | Azure Status<https://status.azure.com/en-us/status> | Support Plans<https://azure.microsoft.com/en-us/support/plans/> | Create a Case<https://azure.microsoft.com/en-us/support/create-ticket/> | Privacy Policy<https://privacy.microsoft.com/en-us/PrivacyStatement>
________________________________
From: Linux-audit <linux-audit-bounces@redhat.com> on behalf of Carlos De Avillez <Carlos.DeAvillez@microsoft.com>
Sent: Friday, February 10, 2023 17:37
To: linux-audit@redhat.com <linux-audit@redhat.com>
Subject: [EXTERNAL] small patch for issue with rules that have been (incorrecly) copied from Windows
Hello,
We have had at least a few instances where customers configured audit rules on Windows, and then incorrectly
moved the resulting '.rules' files to Linux.
These files still had the Windows line terminator (CRLF). 'augenrules' read them without issues and generated the
/etc/audit/audit.rules file.
But on loading the new audit.rules, 'auditctl -R' will receive a bad return code, and stop loading the rules. The
resulting error is a bit on the cryptic side, and our customers do not seem to catch it easily.
The proposed fix is simple, and resolves the issue when using 'augenrules'. Of course, if someone generates
/etc/audit/audit.rules directly, it could still fail, but I understand that we are moving to using 'augenrules' by
default.
Patch (against current head) is below.
Cheers,
..Carlos..
From 4ccae6353500d3870d4da8905ed01d18d36b066a Mon Sep 17 00:00:00 2001
From: C de-Avillez <cadeavil@microsoft.com>
Date: Fri, 10 Feb 2023 17:16:09 -0600
Subject: [PATCH] augenrules: make sure no lines in *.rules ends in CRLF,
otherwise 'auditctl -R' will then fail to fully load the rules.
---
init.d/augenrules | 1 +
1 file changed, 1 insertion(+)
diff --git a/init.d/augenrules b/init.d/augenrules
index edb2199..f74c6e2 100644
--- a/init.d/augenrules
+++ b/init.d/augenrules
@@ -84,6 +84,7 @@ BEGIN {
minus_b = "";
rest = 0;
} {
+ sub(/\r$/, "");
if (length($0) < 1) { next; }
if (match($0, "^\\s*#")) { next; }
if (match($0, "^\\s*-e")) { minus_e = $0; next; }
--
2.34.1
Carlos
de Avillez
Senior
Escalation Engineer
Microsoft Azure Technical Support
Customer Service and Support
Office: +1 (469) 7753777
cadeavil@microsoft.com
Working
hours: 10:00-19:00
US Central Time
Next days off during August 2020: 3, 10, 17, 24, 31
If you need to work with another Support Engineer outside of my
working hours, please send email to azurebu@microsoft.com with
your case number, and availability.
We are always interested to hear your feedback. Please feel free
to reach my manager regarding the level of service you have received - spogge@microsoft.com
Microsoft
Azure | Azure
Status | Support
Plans | Create
a Case | Privacy
Policy
--
Linux-audit mailing list
Linux-audit@redhat.com
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flistman.redhat.com%2Fmailman%2Flistinfo%2Flinux-audit&data=05%7C01%7Ccarlos.deavillez%40microsoft.com%7C0d78e8a8334d4fcc044e08db0d4b362c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638118388923975931%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cKyVRKjwU5Rxd0xocsYa03Mjz39VYtmyWqsAjsgUipQ%3D&reserved=0<https://listman.redhat.com/mailman/listinfo/linux-audit>
[-- Attachment #1.2: Type: text/html, Size: 12302 bytes --]
[-- Attachment #2: Type: text/plain, Size: 107 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: small patch for issue with rules that have been (incorrecly) copied from Windows
2023-04-13 16:23 ` Carlos De Avillez
@ 2023-04-13 18:50 ` Paul Moore
2023-04-14 14:50 ` Steve Grubb
1 sibling, 0 replies; 4+ messages in thread
From: Paul Moore @ 2023-04-13 18:50 UTC (permalink / raw)
To: Carlos De Avillez; +Cc: linux-audit
On Thu, Apr 13, 2023 at 12:25 PM Carlos De Avillez
<Carlos.DeAvillez@microsoft.com> wrote:
>
> Hello again,
>
> Just checking is there is interest in the below.
I noticed that your email ended up in my spam folder, likely because
it was not plaintext, but who knows for sure. You might want to try
posting your patch as a GitHub PR since it looks like Steve checks
both the mailing list and GitHub for patches.
* https://github.com/linux-audit/audit-userspace
--
paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: small patch for issue with rules that have been (incorrecly) copied from Windows
2023-04-13 16:23 ` Carlos De Avillez
2023-04-13 18:50 ` Paul Moore
@ 2023-04-14 14:50 ` Steve Grubb
1 sibling, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2023-04-14 14:50 UTC (permalink / raw)
To: linux-audit
Hello,
On Thursday, April 13, 2023 12:23:31 PM EDT Carlos De Avillez wrote:
> Just checking is there is interest in the below.
Applied. Thanks!
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-04-14 14:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-10 23:37 small patch for issue with rules that have been (incorrecly) copied from Windows Carlos De Avillez
2023-04-13 16:23 ` Carlos De Avillez
2023-04-13 18:50 ` Paul Moore
2023-04-14 14:50 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).