From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: * X-Spam-Status: No, score=1.1 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, FORGED_YAHOO_RCVD,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25656C4363D for ; Tue, 22 Sep 2020 14:13:32 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 793B12395B for ; Tue, 22 Sep 2020 14:13:31 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 793B12395B Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=yahoo.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-405-ZmWnwAycNUinJkSpzpTFdA-1; Tue, 22 Sep 2020 10:13:27 -0400 X-MC-Unique: ZmWnwAycNUinJkSpzpTFdA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 483D3186DD49; Tue, 22 Sep 2020 14:13:22 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DF5014F67F; Tue, 22 Sep 2020 14:13:21 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9F21418A1996; Tue, 22 Sep 2020 14:13:18 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 08MEDGjV029240 for ; Tue, 22 Sep 2020 10:13:16 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0E9CB202450E; Tue, 22 Sep 2020 14:13:16 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 088A92022788 for ; Tue, 22 Sep 2020 14:13:13 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7881C18AE949 for ; Tue, 22 Sep 2020 14:13:13 +0000 (UTC) Received: from sonic305-21.consmr.mail.ne1.yahoo.com (sonic305-21.consmr.mail.ne1.yahoo.com [66.163.185.147]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-266-mlITlRGANyKS1JlWQN-fSw-1; Tue, 22 Sep 2020 10:13:09 -0400 X-MC-Unique: mlITlRGANyKS1JlWQN-fSw-1 X-YMail-OSG: GaaNhdsVM1n7KxYzzpB9Roo6wBXdiXJQoXAlJ3tC69emWxFU9uOVH20y1Wvxq3J Zh1p_qWytyY43QktE_XG674zPqBMFzZT1e6U5oY3JZFQpA8YggUO25zVzyIn0ehvf.IDwcrQO2p9 feocISYoLzqRdRg4gZN1EBS0aLk3fY3PgwMWXbiSiwS_v5vfv6eoYoylkhVT9Az0oevWSV72eCay 4Q1Tz.yMGETv0FpF0z2KIbiyVFtZ.3ULdK3eDqyXKM5f.ZsE0wt9SdewCsOBSNxe1Q.8ht12sf.X jROlk7Foq35G2t_Bj_Iv0SrOPR698TkbrI3FmK4LKHrMmhssEQxgz2W4rT6QnnJYKNsIW0IJbMS. 4qcH_NTBkyY7YBMbQF5Zc1JtPj_R9UdHZL4mldmDqIM7k2AGSRfMRzXTZjvyZR9QzrQEg1d8VFmm .17tlAxigUMtOq4lWVhZRP5NpILbJzoFmAl9zgOnClUoocK6BIRbXoPBGwb7QPJwGWXL85RGiFBv ZelZXDghpGn3YRNm2rE.CqTFrW.D4BoMP7Wz9YnffDZQPuL4hyjXiOeEe6tc9Xc_ag7kTEVAWTP7 d0UZDVJWMZDCOEVhg1Jx3TdkFvL5cY.sHFVGfCbQbwmBR41UfWH92Xcc7MjYuJhaRJVu6WI.cWwV Xco7fX4zIz7hLLOgDbMgMX9a3L7RZe8yBKpf.Lh5E_EdPo6n1W7_MyRB1yg01tRDUE6lLsQOaqn4 9zDqqjUtr1i6qHi1Fjn1s4hH5BCFvFe6v0iggEmAWo029DBkMCIIEnRY18QedFWAsPp4vh.jhXTq LpsSdqsDp_NXoICpZYjwrqDmgTyw3CJJQ6mxX96P6g4hSQFguQM.EJV58XIb7Yf_8JZ6Nho8YsfA ._KZL43gKIQ9zDKD0GyguIeFK.gzQd1FrLFtNd.cLvFWKJI8j0md_QvAlLmZb9KaFrqJxR4jwmBJ YA5mtJ0B2GIYbIy95fNVGnZh4xcWu81BprKv0jOD0xfN2VR3Ypm_TRUsQqqL5j0gNLTQ9U2Gdr9o eiawJrkogpWwzOjlt2D.z3C6ynJ95Jsjssrq2jXJogRsnadpTdnsEKaTN6u1WyDrVXkM379zXKUM BtzND1UITtxrMD9I.lBtIWwF39W13_YFwVxeYo1SXMYtdCwNfFF48k3oStxsA5LBjOhj71EuQamh SZT7nRYoxiikFEuntep3uT_S.jS0nN67Z6P4KoENsHCcgXzOGEY4W77putFb1yXfLTvrAaj5DNtc Hh.f4px67bPlT.kVYrYtY6G.6dEwGY0S1k4_felxhtrBReFeXKOENQDlMFStW9D8NuOiVjTIqoly 7dIk4jCU7iQn8Pg.4BuvtzWaS8bVeeb3QjVpxItsa78otXBHNsoQTTbHZfnM_CBjPUyDDVNkhHEO gtNhpVl1m3Wm_E5HjZ0fUhz1VSARvn4Qe9Q.3RtY_a51VrwihxgHDosaNcWsAwur4QUM- Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Tue, 22 Sep 2020 14:13:09 +0000 Date: Tue, 22 Sep 2020 14:13:03 +0000 (UTC) From: Joe Wulf To: "linux-audit@redhat.com" Message-ID: <738651663.5183625.1600783983768@mail.yahoo.com> Subject: augenrules --load MIME-Version: 1.0 References: <738651663.5183625.1600783983768.ref@mail.yahoo.com> X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/mixed; boundary="===============3051342868936143376==" --===============3051342868936143376== Content-Type: multipart/alternative; boundary="----=_Part_5183624_1844033532.1600783983765" ------=_Part_5183624_1844033532.1600783983765 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable When building a new RHEL v7.8 VM manually, I set up the rules desired in /e= tc/audit/rulesd/audit.rules, no other changes (because I've wanted to narro= w down the issue). After subsequent reboots, with no further changes to any= audit rules either; I monitor /var/log/messages and I see occurrences like= this: Sep 22 09:04:24 hostxyz augenrules: /sbin/augenrules: No change Sep 22 09:04:24 hostxyz augenrules: No rulesSep 22 09:04:24 hostxyz augenru= les: enabled 1Sep 22 09:04:24 hostxyz augenrules: failure 1Sep 22 09:04:24 = hostxyz augenrules: pid 1242Sep 22 09:04:24 hostxyz augenrules: rate_limit = 0Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384Sep 22 09:04:24 hos= txyz augenrules: lost 56Sep 22 09:04:24 hostxyz augenrules: backlog 1Sep 22= 09:04:24 hostxyz augenrules: enabled 1Sep 22 09:04:24 hostxyz augenrules: = failure 2Sep 22 09:04:24 hostxyz augenrules: pid 1242Sep 22 09:04:24 hostxy= z augenrules: rate_limit 0Sep 22 09:04:24 hostxyz augenrules: backlog_limit= 16384Sep 22 09:04:24 hostxyz augenrules: lost 56Sep 22 09:04:24 hostxyz au= genrules: backlog 0Sep 22 09:04:24 hostxyz augenrules: usage: auditctl [opt= ions]Sep 22 09:04:24 hostxyz augenrules: -a =C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Append rule to end of ist wit= h ctionSep 22 09:04:24 hostxyz augenrules: -A =C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Add rule at beginning of i= st with ctionSep 22 09:04:24 hostxyz augenrules: -b =C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Set max number of outstanding audit buffe= rsSep 22 09:04:24 hostxyz augenrules: allowed Default=3D64Sep 22 09:04:24 h= ostxyz augenrules: -c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Continue through errors in= rulesSep 22 09:04:24 hostxyz augenrules: -C f=3Df=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Compare collected fi= elds if available:Sep 22 09:04:24 hostxyz augenrules: Field name, operator(= =3D,!=3D), field nameSep 22 09:04:24 hostxyz augenrules: -d =C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Delete rule from = ist with ctionSep 22 09:04:24 hostxyz augenrules: l=3Dtask,exit,user,= excludeSep 22 09:04:24 hostxyz augenrules: a=3Dnever,alwaysSep 22 09:04:24 = hostxyz augenrules: -D=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Delete all rules and wa= tchesSep 22 09:04:24 hostxyz augenrules: -e [0..2]=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Set enabled flagSep 22 09:04:24 hostxy= z augenrules: -f [0..2]=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 Set failure flagSep 22 09:04:24 hostxyz augenrules: 0=3Dsilent 1= =3Dprintk 2=3DpanicSep 22 09:04:24 hostxyz augenrules: -F f=3Dv=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Build ru= le: field name, operator(=3D,!=3D,<,>,<=3D,Sep 22 09:04:24 hostxyz augenrul= es: >=3D,&,&=3D) valueSep 22 09:04:24 hostxyz augenrules: -h=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 HelpSep 22 09:04:24 hostxyz augenrules: -i=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 Ignore errors when reading rules from fileSep 22 09:04:24 hostxyz= augenrules: -k =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 Set filter key on audit ruleSep 22 09:04:24 hostxyz augenrules= : -l=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 List rulesSep 22 09:04:24 hostxyz augenru= les: -m text=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 Send a user-space messageSep 22 09:04:24 hostxyz augenrules: -p [= r|w|x|a]=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Set permissions filter o= n watchSep 22 09:04:24 hostxyz augenrules: r=3Dread, w=3Dwrite, x=3Dexecute= , a=3DattributeSep 22 09:04:24 hostxyz augenrules: -q =C2=A0= make subtree part of mount point's dir watchesSep 22 09:04:24 hostxyz auge= nrules: -r =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 Set limit in messages/sec (0=3Dnone)Sep 22 09:04:24 hostxyz augenrules:= -R =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 read= rules from fileSep 22 09:04:24 hostxyz augenrules: -s=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 Report statusSep 22 09:04:24 hostxyz augenrules: -S syscall=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Build rule: syscall name or n= umberSep 22 09:04:24 hostxyz augenrules: -t=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Tr= im directory watchesSep 22 09:04:24 hostxyz augenrules: -v=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 VersionSep 22 09:04:24 hostxyz augenrules: -w =C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Insert watch at S= ep 22 09:04:24 hostxyz augenrules: -W =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Remove watch at Sep 22 09:04:24 hostxy= z augenrules: --loginuid-immutable=C2=A0 Make loginuids unchangeable once s= etSep 22 09:04:24 hostxyz augenrules: --reset-lost=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 Reset the lost record counterSep 22 09:04:24 hostx= yz systemd: Started Security Auditing Service. The 'usage' of auditctl is invoked the one time in the 'try_load' function = of augenrules.=C2=A0 Manual executions of "/sbin/auditctl -R /etc/audit/aud= it.rules', results in essentially the same behavior on the terminal as foun= d in /var/log/messages. Should execution of augenrules seemingly error-out on invocation of auditct= l like this? Thank you. R,-Joe Wulf ------=_Part_5183624_1844033532.1600783983765 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
When building a new RHEL v7.8 VM = manually, I set up the rules desired in /etc/audit/rulesd/audit.rules, no o= ther changes (because I've wanted to narrow down the issue). After subseque= nt reboots, with no further changes to any audit rules either; I monitor /v= ar/log/messages and I see occurrences like this:

Sep 22 09:04:24 hostxyz augenrules: /sbin/au= genrules: No change
Sep 22 09:04:24 hostxyz augenrules: No rules
Sep 22 09:04:24 hostxyz augenrules: enabled 1
Sep 22 09:04:24 hos= txyz augenrules: failure 1
Sep 22 09:04:24 <= span>hostxyz augenrules: pid 1242
Sep 22 09:04:24 = hostxyz augenrules: rate_limit 0
Sep 22= 09:04:24 hostxyz augenrules: backlog_limit 1638= 4
Sep 22 09:04:24 hostxyz augenrules: = lost 56
Sep 22 09:04:24 hostxyz augenr= ules: backlog 1
Sep 22 09:04:24 hostxyz augenrules: enabled 1
Sep 22 09:04:24 hostxyz augenrules: failure 2
Sep 22 09:04:24 host= xyz augenrules: pid 1242
Sep 22 09:04:24 hostxyz augenrules: rate_limit 0
Sep 22 09:04:24= hostxyz augenrules: backlog_limit 16384
Sep 22 09:04:24 hostxyz augenrules: lost 56
Sep 22 09:04:24 hostxyz augenrules: bac= klog 0
Sep 22 09:04:24 hostxyz auge= nrules: usage: auditctl [options]
Sep 22 09:04:24 <= span>hostxyz augenrules: -a <l,a>   &nbs= p;        Append rule to end of <l>= ;ist with <a>ction
Sep 22 09:04:24 host= xyz augenrules: -A <l,a>     &= nbsp;      Add rule at beginning of <l>ist w= ith <a>ction
Sep 22 09:04:24 hostxyz augenrules: -b <backlog>     &nb= sp;  Set max number of outstanding audit buffers
Sep = 22 09:04:24 hostxyz augenrules: allowed Default= =3D64
Sep 22 09:04:24 hostxyz a= ugenrules: -c          &n= bsp;       Continue through errors in rules
Sep 22 09:04:24 hostxyz augenrul= es: -C f=3Df          &nb= sp;   Compare collected fields if available:
Sep= 22 09:04:24 hostxyz augenrules: Field name, ope= rator(=3D,!=3D), field name
Sep 22 09:04:24 h= ostxyz augenrules: -d <l,a>    &nbs= p;       Delete rule from <l>ist with &= lt;a>ction
Sep 22 09:04:24 hostxyz = augenrules: l=3Dtask,exit,user,exclude
Sep 22 09:04= :24 hostxyz augenrules: a=3Dnever,always
Sep 22 09:04:24 hostxyz augenrules: -D=             &nb= sp;     Delete all rules and watches
S= ep 22 09:04:24 hostxyz augenrules: -e [0..2]&nbs= p;          Set enabled flag
Sep 22 09:04:24 hostxyz augenrul= es: -f [0..2]           S= et failure flag
Sep 22 09:04:24 hostxyz augenrules: 0=3Dsilent 1=3Dprintk 2=3Dpanic
Sep 2= 2 09:04:24 hostxyz augenrules: -F f=3Dv &nb= sp;            Build= rule: field name, operator(=3D,!=3D,<,>,<=3D,
Se= p 22 09:04:24 hostxyz augenrules: >=3D,&,= &=3D) value
Sep 22 09:04:24 hostxyz augenrules: -h        &nbs= p;         Help
Se= p 22 09:04:24 hostxyz augenrules: -i  =             &nb= sp;   Ignore errors when reading rules from file
Sep 22 09:04:24 hostxyz augenrules: -k <key&= gt;            Set f= ilter key on audit rule
Sep 22 09:04:24 hostx= yz augenrules: -l       &n= bsp;          List rules
Sep 22 09:04:24 hostxyz augenrules: = -m text           &n= bsp; Send a user-space message
Sep 22 09:04:24 hostxyz augenrules: -p [r|w|x|a]    &nb= sp;   Set permissions filter on watch
Sep 22 09:= 04:24 hostxyz augenrules: r=3Dread, w=3Dwrite, x= =3Dexecute, a=3Dattribute
Sep 22 09:04:24 hos= txyz augenrules: -q <mount,subtree>  make subtree = part of mount point's dir watches
Sep 22 09:04:24 <= span>hostxyz augenrules: -r <rate>   &nb= sp;       Set limit in messages/sec (0=3Dnone= )
Sep 22 09:04:24 hostxyz augen= rules: -R <file>         = ;  read rules from file
Sep 22 09:04:24 = hostxyz augenrules: -s      &nb= sp;           Report stat= us
Sep 22 09:04:24 hostxyz auge= nrules: -S syscall          Bu= ild rule: syscall name or number
Sep 22 09:04:24 hostxyz augenrules: -t      = ;            Trim di= rectory watches
Sep 22 09:04:24 hostxyz augenrules: -v        &nbs= p;         Version
Sep 22 09:04:24 hostxyz augenrules: -w <path= >           Insert wat= ch at <path>
Sep 22 09:04:24 hostxyz augenrules: -W <path>      =      Remove watch at <path>
Sep 22 09:04:24 hostxyz augenrules: --loginuid-immutable  Make loginuids un= changeable once set
Sep 22 09:04:24 hos= txyz augenrules: --reset-lost    &= nbsp;    Reset the lost record counter
Sep 22 = 09:04:24 hostxyz systemd: Started S= ecurity Auditing Service.

The 'usage' of auditctl is invoked the one time in the 'try= _load' function of augenrules.  Manual executions of "/sbin/auditctl -= R /etc/audit/audit.rules', results in essentially the same behavior on the = terminal as found in /var/log/messages.

Should executio= n of augenrules seemingly error-out on invocation of auditctl like this?

Thank you.

=
R,
-Joe Wulf
------=_Part_5183624_1844033532.1600783983765-- --===============3051342868936143376== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit --===============3051342868936143376==--