* augenrules --load [not found] <738651663.5183625.1600783983768.ref@mail.yahoo.com> @ 2020-09-22 14:13 ` Joe Wulf 2020-09-22 17:06 ` Steve Grubb 0 siblings, 1 reply; 2+ messages in thread From: Joe Wulf @ 2020-09-22 14:13 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 4574 bytes --] When building a new RHEL v7.8 VM manually, I set up the rules desired in /etc/audit/rulesd/audit.rules, no other changes (because I've wanted to narrow down the issue). After subsequent reboots, with no further changes to any audit rules either; I monitor /var/log/messages and I see occurrences like this: Sep 22 09:04:24 hostxyz augenrules: /sbin/augenrules: No change Sep 22 09:04:24 hostxyz augenrules: No rulesSep 22 09:04:24 hostxyz augenrules: enabled 1Sep 22 09:04:24 hostxyz augenrules: failure 1Sep 22 09:04:24 hostxyz augenrules: pid 1242Sep 22 09:04:24 hostxyz augenrules: rate_limit 0Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384Sep 22 09:04:24 hostxyz augenrules: lost 56Sep 22 09:04:24 hostxyz augenrules: backlog 1Sep 22 09:04:24 hostxyz augenrules: enabled 1Sep 22 09:04:24 hostxyz augenrules: failure 2Sep 22 09:04:24 hostxyz augenrules: pid 1242Sep 22 09:04:24 hostxyz augenrules: rate_limit 0Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384Sep 22 09:04:24 hostxyz augenrules: lost 56Sep 22 09:04:24 hostxyz augenrules: backlog 0Sep 22 09:04:24 hostxyz augenrules: usage: auditctl [options]Sep 22 09:04:24 hostxyz augenrules: -a <l,a> Append rule to end of <l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules: -A <l,a> Add rule at beginning of <l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules: -b <backlog> Set max number of outstanding audit buffersSep 22 09:04:24 hostxyz augenrules: allowed Default=64Sep 22 09:04:24 hostxyz augenrules: -c Continue through errors in rulesSep 22 09:04:24 hostxyz augenrules: -C f=f Compare collected fields if available:Sep 22 09:04:24 hostxyz augenrules: Field name, operator(=,!=), field nameSep 22 09:04:24 hostxyz augenrules: -d <l,a> Delete rule from <l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules: l=task,exit,user,excludeSep 22 09:04:24 hostxyz augenrules: a=never,alwaysSep 22 09:04:24 hostxyz augenrules: -D Delete all rules and watchesSep 22 09:04:24 hostxyz augenrules: -e [0..2] Set enabled flagSep 22 09:04:24 hostxyz augenrules: -f [0..2] Set failure flagSep 22 09:04:24 hostxyz augenrules: 0=silent 1=printk 2=panicSep 22 09:04:24 hostxyz augenrules: -F f=v Build rule: field name, operator(=,!=,<,>,<=,Sep 22 09:04:24 hostxyz augenrules: >=,&,&=) valueSep 22 09:04:24 hostxyz augenrules: -h HelpSep 22 09:04:24 hostxyz augenrules: -i Ignore errors when reading rules from fileSep 22 09:04:24 hostxyz augenrules: -k <key> Set filter key on audit ruleSep 22 09:04:24 hostxyz augenrules: -l List rulesSep 22 09:04:24 hostxyz augenrules: -m text Send a user-space messageSep 22 09:04:24 hostxyz augenrules: -p [r|w|x|a] Set permissions filter on watchSep 22 09:04:24 hostxyz augenrules: r=read, w=write, x=execute, a=attributeSep 22 09:04:24 hostxyz augenrules: -q <mount,subtree> make subtree part of mount point's dir watchesSep 22 09:04:24 hostxyz augenrules: -r <rate> Set limit in messages/sec (0=none)Sep 22 09:04:24 hostxyz augenrules: -R <file> read rules from fileSep 22 09:04:24 hostxyz augenrules: -s Report statusSep 22 09:04:24 hostxyz augenrules: -S syscall Build rule: syscall name or numberSep 22 09:04:24 hostxyz augenrules: -t Trim directory watchesSep 22 09:04:24 hostxyz augenrules: -v VersionSep 22 09:04:24 hostxyz augenrules: -w <path> Insert watch at <path>Sep 22 09:04:24 hostxyz augenrules: -W <path> Remove watch at <path>Sep 22 09:04:24 hostxyz augenrules: --loginuid-immutable Make loginuids unchangeable once setSep 22 09:04:24 hostxyz augenrules: --reset-lost Reset the lost record counterSep 22 09:04:24 hostxyz systemd: Started Security Auditing Service. The 'usage' of auditctl is invoked the one time in the 'try_load' function of augenrules. Manual executions of "/sbin/auditctl -R /etc/audit/audit.rules', results in essentially the same behavior on the terminal as found in /var/log/messages. Should execution of augenrules seemingly error-out on invocation of auditctl like this? Thank you. R,-Joe Wulf [-- Attachment #1.2: Type: text/html, Size: 8886 bytes --] [-- Attachment #2: Type: text/plain, Size: 102 bytes --] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: augenrules --load 2020-09-22 14:13 ` augenrules --load Joe Wulf @ 2020-09-22 17:06 ` Steve Grubb 0 siblings, 0 replies; 2+ messages in thread From: Steve Grubb @ 2020-09-22 17:06 UTC (permalink / raw) To: linux-audit Hello, This email is formatted very badly. I will try to answer it. On Tuesday, September 22, 2020 10:13:03 AM EDT Joe Wulf wrote: > When building a new RHEL v7.8 VM manually, I set up the rules desired in > /etc/audit/rulesd/audit.rules, no other changes (because I've wanted to > narrow down the issue). After subsequent reboots, with no further changes > to any audit rules either; I monitor /var/log/messages and I see > occurrences like this: Sep 22 09:04:24 hostxyz augenrules: > /sbin/augenrules: No change This is normal. > Sep 22 09:04:24 hostxyz augenrules: No rulesSep 22 09:04:24 hostxyz > augenrules: enabled 1Sep 22 09:04:24 hostxyz augenrules: failure 1Sep 22 > 09:04:24 hostxyz augenrules: pid 1242Sep 22 09:04:24 hostxyz augenrules: > rate_limit 0Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384Sep 22 > 09:04:24 hostxyz augenrules: lost 56Sep 22 09:04:24 hostxyz augenrules: > backlog 1Sep 22 09:04:24 hostxyz augenrules: enabled 1Sep 22 09:04:24 > hostxyz augenrules: failure 2Sep 22 09:04:24 hostxyz augenrules: pid > 1242Sep 22 09:04:24 hostxyz augenrules: rate_limit 0Sep 22 09:04:24 > hostxyz augenrules: backlog_limit 16384Sep 22 09:04:24 hostxyz augenrules: > lost 56Sep 22 09:04:24 hostxyz augenrules: backlog 0Sep 22 09:04:24 > hostxyz augenrules: usage: auditctl [options]Sep 22 09:04:24 hostxyz > augenrules: -a <l,a> Append rule to end of <l>ist with > <a>ctionSep 22 09:04:24 hostxyz augenrules: -A <l,a> Add rule > at beginning of <l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules: -b > <backlog> Set max number of outstanding audit buffersSep 22 > 09:04:24 hostxyz augenrules: allowed Default=64Sep 22 09:04:24 hostxyz > augenrules: -c Continue through errors in rulesSep 22 > 09:04:24 hostxyz augenrules: -C f=f Compare collected fields > if available:Sep 22 09:04:24 hostxyz augenrules: Field name, > operator(=,!=), field nameSep 22 09:04:24 hostxyz augenrules: -d > <l,a> Delete rule from <l>ist with <a>ctionSep 22 09:04:24 > hostxyz augenrules: l=task,exit,user,excludeSep 22 09:04:24 hostxyz > augenrules: a=never,alwaysSep 22 09:04:24 hostxyz augenrules: > -D Delete all rules and watchesSep 22 09:04:24 hostxyz > augenrules: -e [0..2] Set enabled flagSep 22 09:04:24 hostxyz > augenrules: -f [0..2] Set failure flagSep 22 09:04:24 hostxyz > augenrules: 0=silent 1=printk 2=panicSep 22 09:04:24 hostxyz augenrules: > -F f=v Build rule: field name, operator(=,!=,<,>,<=,Sep 22 > 09:04:24 hostxyz augenrules: >=,&,&=) valueSep 22 09:04:24 hostxyz > augenrules: -h HelpSep 22 09:04:24 hostxyz augenrules: > -i Ignore errors when reading rules from fileSep 22 > 09:04:24 hostxyz augenrules: -k <key> Set filter key on audit > ruleSep 22 09:04:24 hostxyz augenrules: -l List rulesSep > 22 09:04:24 hostxyz augenrules: -m text Send a user-space > messageSep 22 09:04:24 hostxyz augenrules: -p [r|w|x|a] Set > permissions filter on watchSep 22 09:04:24 hostxyz augenrules: r=read, > w=write, x=execute, a=attributeSep 22 09:04:24 hostxyz augenrules: -q > <mount,subtree> make subtree part of mount point's dir watchesSep 22 > 09:04:24 hostxyz augenrules: -r <rate> Set limit in messages/sec > (0=none)Sep 22 09:04:24 hostxyz augenrules: -R <file> read rules > from fileSep 22 09:04:24 hostxyz augenrules: -s Report > statusSep 22 09:04:24 hostxyz augenrules: -S syscall Build rule: > syscall name or numberSep 22 09:04:24 hostxyz augenrules: > -t Trim directory watchesSep 22 09:04:24 hostxyz > augenrules: -v VersionSep 22 09:04:24 hostxyz augenrules: > -w <path> Insert watch at <path>Sep 22 09:04:24 hostxyz > augenrules: -W <path> Remove watch at <path>Sep 22 09:04:24 > hostxyz augenrules: --loginuid-immutable Make loginuids unchangeable once > setSep 22 09:04:24 hostxyz augenrules: --reset-lost Reset the lost > record counterSep 22 09:04:24 hostxyz systemd: Started Security Auditing > Service. The 'usage' of auditctl is invoked the one time in the 'try_load' > function of augenrules. Manual executions of "/sbin/auditctl -R > /etc/audit/audit.rules', results in essentially the same behavior on the > terminal as found in /var/log/messages. Should execution of augenrules > seemingly error-out on invocation of auditctl like this? It should be telling you which line it didn't like. That is unless you have a "-h" in the rules. Or an option that doesn't match. You should look over the rules carefully. Something in there is a typo. I revised the error message for unmatched options to print the line number instead of usage. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-22 17:06 UTC | newest] Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <738651663.5183625.1600783983768.ref@mail.yahoo.com> 2020-09-22 14:13 ` augenrules --load Joe Wulf 2020-09-22 17:06 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).