Linux-audit Archive on lore.kernel.org
 help / color / Atom feed
* augenrules --load
       [not found] <738651663.5183625.1600783983768.ref@mail.yahoo.com>
@ 2020-09-22 14:13 ` Joe Wulf
  2020-09-22 17:06   ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Joe Wulf @ 2020-09-22 14:13 UTC (permalink / raw)
  To: linux-audit

[-- Attachment #1.1: Type: text/plain, Size: 4574 bytes --]

When building a new RHEL v7.8 VM manually, I set up the rules desired in /etc/audit/rulesd/audit.rules, no other changes (because I've wanted to narrow down the issue). After subsequent reboots, with no further changes to any audit rules either; I monitor /var/log/messages and I see occurrences like this:
Sep 22 09:04:24 hostxyz augenrules: /sbin/augenrules: No change
Sep 22 09:04:24 hostxyz augenrules: No rulesSep 22 09:04:24 hostxyz augenrules: enabled 1Sep 22 09:04:24 hostxyz augenrules: failure 1Sep 22 09:04:24 hostxyz augenrules: pid 1242Sep 22 09:04:24 hostxyz augenrules: rate_limit 0Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384Sep 22 09:04:24 hostxyz augenrules: lost 56Sep 22 09:04:24 hostxyz augenrules: backlog 1Sep 22 09:04:24 hostxyz augenrules: enabled 1Sep 22 09:04:24 hostxyz augenrules: failure 2Sep 22 09:04:24 hostxyz augenrules: pid 1242Sep 22 09:04:24 hostxyz augenrules: rate_limit 0Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384Sep 22 09:04:24 hostxyz augenrules: lost 56Sep 22 09:04:24 hostxyz augenrules: backlog 0Sep 22 09:04:24 hostxyz augenrules: usage: auditctl [options]Sep 22 09:04:24 hostxyz augenrules: -a <l,a>            Append rule to end of <l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules: -A <l,a>            Add rule at beginning of <l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules: -b <backlog>        Set max number of outstanding audit buffersSep 22 09:04:24 hostxyz augenrules: allowed Default=64Sep 22 09:04:24 hostxyz augenrules: -c                  Continue through errors in rulesSep 22 09:04:24 hostxyz augenrules: -C f=f              Compare collected fields if available:Sep 22 09:04:24 hostxyz augenrules: Field name, operator(=,!=), field nameSep 22 09:04:24 hostxyz augenrules: -d <l,a>            Delete rule from <l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules: l=task,exit,user,excludeSep 22 09:04:24 hostxyz augenrules: a=never,alwaysSep 22 09:04:24 hostxyz augenrules: -D                  Delete all rules and watchesSep 22 09:04:24 hostxyz augenrules: -e [0..2]           Set enabled flagSep 22 09:04:24 hostxyz augenrules: -f [0..2]           Set failure flagSep 22 09:04:24 hostxyz augenrules: 0=silent 1=printk 2=panicSep 22 09:04:24 hostxyz augenrules: -F f=v              Build rule: field name, operator(=,!=,<,>,<=,Sep 22 09:04:24 hostxyz augenrules: >=,&,&=) valueSep 22 09:04:24 hostxyz augenrules: -h                  HelpSep 22 09:04:24 hostxyz augenrules: -i                  Ignore errors when reading rules from fileSep 22 09:04:24 hostxyz augenrules: -k <key>            Set filter key on audit ruleSep 22 09:04:24 hostxyz augenrules: -l                  List rulesSep 22 09:04:24 hostxyz augenrules: -m text             Send a user-space messageSep 22 09:04:24 hostxyz augenrules: -p [r|w|x|a]        Set permissions filter on watchSep 22 09:04:24 hostxyz augenrules: r=read, w=write, x=execute, a=attributeSep 22 09:04:24 hostxyz augenrules: -q <mount,subtree>  make subtree part of mount point's dir watchesSep 22 09:04:24 hostxyz augenrules: -r <rate>           Set limit in messages/sec (0=none)Sep 22 09:04:24 hostxyz augenrules: -R <file>           read rules from fileSep 22 09:04:24 hostxyz augenrules: -s                  Report statusSep 22 09:04:24 hostxyz augenrules: -S syscall          Build rule: syscall name or numberSep 22 09:04:24 hostxyz augenrules: -t                  Trim directory watchesSep 22 09:04:24 hostxyz augenrules: -v                  VersionSep 22 09:04:24 hostxyz augenrules: -w <path>           Insert watch at <path>Sep 22 09:04:24 hostxyz augenrules: -W <path>           Remove watch at <path>Sep 22 09:04:24 hostxyz augenrules: --loginuid-immutable  Make loginuids unchangeable once setSep 22 09:04:24 hostxyz augenrules: --reset-lost         Reset the lost record counterSep 22 09:04:24 hostxyz systemd: Started Security Auditing Service.
The 'usage' of auditctl is invoked the one time in the 'try_load' function of augenrules.  Manual executions of "/sbin/auditctl -R /etc/audit/audit.rules', results in essentially the same behavior on the terminal as found in /var/log/messages.
Should execution of augenrules seemingly error-out on invocation of auditctl like this?
Thank you.
R,-Joe Wulf

[-- Attachment #1.2: Type: text/html, Size: 8886 bytes --]

[-- Attachment #2: Type: text/plain, Size: 102 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: augenrules --load
  2020-09-22 14:13 ` augenrules --load Joe Wulf
@ 2020-09-22 17:06   ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2020-09-22 17:06 UTC (permalink / raw)
  To: linux-audit

Hello,

This email is formatted very badly. I will try to answer it.

On Tuesday, September 22, 2020 10:13:03 AM EDT Joe Wulf wrote:
> When building a new RHEL v7.8 VM manually, I set up the rules desired in
> /etc/audit/rulesd/audit.rules, no other changes (because I've wanted to
> narrow down the issue). After subsequent reboots, with no further changes
> to any audit rules either; I monitor /var/log/messages and I see
> occurrences like this: Sep 22 09:04:24 hostxyz augenrules:
> /sbin/augenrules: No change

This is normal.

> Sep 22 09:04:24 hostxyz augenrules: No rulesSep 22 09:04:24 hostxyz
> augenrules: enabled 1Sep 22 09:04:24 hostxyz augenrules: failure 1Sep 22
> 09:04:24 hostxyz augenrules: pid 1242Sep 22 09:04:24 hostxyz augenrules:
> rate_limit 0Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384Sep 22
> 09:04:24 hostxyz augenrules: lost 56Sep 22 09:04:24 hostxyz augenrules:
> backlog 1Sep 22 09:04:24 hostxyz augenrules: enabled 1Sep 22 09:04:24
> hostxyz augenrules: failure 2Sep 22 09:04:24 hostxyz augenrules: pid
> 1242Sep 22 09:04:24 hostxyz augenrules: rate_limit 0Sep 22 09:04:24
> hostxyz augenrules: backlog_limit 16384Sep 22 09:04:24 hostxyz augenrules:
> lost 56Sep 22 09:04:24 hostxyz augenrules: backlog 0Sep 22 09:04:24
> hostxyz augenrules: usage: auditctl [options]Sep 22 09:04:24 hostxyz
> augenrules: -a <l,a>            Append rule to end of <l>ist with
> <a>ctionSep 22 09:04:24 hostxyz augenrules: -A <l,a>            Add rule
> at beginning of <l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules: -b
> <backlog>        Set max number of outstanding audit buffersSep 22
> 09:04:24 hostxyz augenrules: allowed Default=64Sep 22 09:04:24 hostxyz
> augenrules: -c                  Continue through errors in rulesSep 22
> 09:04:24 hostxyz augenrules: -C f=f              Compare collected fields
> if available:Sep 22 09:04:24 hostxyz augenrules: Field name,
> operator(=,!=), field nameSep 22 09:04:24 hostxyz augenrules: -d
> <l,a>            Delete rule from <l>ist with <a>ctionSep 22 09:04:24
> hostxyz augenrules: l=task,exit,user,excludeSep 22 09:04:24 hostxyz
> augenrules: a=never,alwaysSep 22 09:04:24 hostxyz augenrules:
> -D                  Delete all rules and watchesSep 22 09:04:24 hostxyz
> augenrules: -e [0..2]           Set enabled flagSep 22 09:04:24 hostxyz
> augenrules: -f [0..2]           Set failure flagSep 22 09:04:24 hostxyz
> augenrules: 0=silent 1=printk 2=panicSep 22 09:04:24 hostxyz augenrules:
> -F f=v              Build rule: field name, operator(=,!=,<,>,<=,Sep 22
> 09:04:24 hostxyz augenrules: >=,&,&=) valueSep 22 09:04:24 hostxyz
> augenrules: -h                  HelpSep 22 09:04:24 hostxyz augenrules:
> -i                  Ignore errors when reading rules from fileSep 22
> 09:04:24 hostxyz augenrules: -k <key>            Set filter key on audit
> ruleSep 22 09:04:24 hostxyz augenrules: -l                  List rulesSep
> 22 09:04:24 hostxyz augenrules: -m text             Send a user-space
> messageSep 22 09:04:24 hostxyz augenrules: -p [r|w|x|a]        Set
> permissions filter on watchSep 22 09:04:24 hostxyz augenrules: r=read,
> w=write, x=execute, a=attributeSep 22 09:04:24 hostxyz augenrules: -q
> <mount,subtree>  make subtree part of mount point's dir watchesSep 22
> 09:04:24 hostxyz augenrules: -r <rate>           Set limit in messages/sec
> (0=none)Sep 22 09:04:24 hostxyz augenrules: -R <file>           read rules
> from fileSep 22 09:04:24 hostxyz augenrules: -s                  Report
> statusSep 22 09:04:24 hostxyz augenrules: -S syscall          Build rule:
> syscall name or numberSep 22 09:04:24 hostxyz augenrules:
> -t                  Trim directory watchesSep 22 09:04:24 hostxyz
> augenrules: -v                  VersionSep 22 09:04:24 hostxyz augenrules:
> -w <path>           Insert watch at <path>Sep 22 09:04:24 hostxyz
> augenrules: -W <path>           Remove watch at <path>Sep 22 09:04:24
> hostxyz augenrules: --loginuid-immutable  Make loginuids unchangeable once
> setSep 22 09:04:24 hostxyz augenrules: --reset-lost         Reset the lost
> record counterSep 22 09:04:24 hostxyz systemd: Started Security Auditing
> Service. The 'usage' of auditctl is invoked the one time in the 'try_load'
> function of augenrules.  Manual executions of "/sbin/auditctl -R
> /etc/audit/audit.rules', results in essentially the same behavior on the
> terminal as found in /var/log/messages. Should execution of augenrules
> seemingly error-out on invocation of auditctl like this? 

It should be telling you which line it didn't like. That is unless you have a 
"-h" in the rules. Or an option that doesn't match. You should look over the 
rules carefully. Something in there is a typo.

I revised the error message for unmatched options to print the line number 
instead of usage.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <738651663.5183625.1600783983768.ref@mail.yahoo.com>
2020-09-22 14:13 ` augenrules --load Joe Wulf
2020-09-22 17:06   ` Steve Grubb

Linux-audit Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-audit/0 linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ https://lore.kernel.org/linux-audit \
		linux-audit@redhat.com
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.linux-audit


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git