AE>  Is there any reason why (...) auditctl -R don't print errors to stdout
when rules parsing errors occur?

SG> If it's detected that the rules are in a file, they get sent to syslog
because
     > 99.99% of the time, this is system boot or initscripts and we need
to make
     > the problem discoverable later by the system admin.

I assume you meant "if it's detected that there are errors in the rules in
a rules file".
IMHO the stream to which errors are output (syslog or stdout) should be
configurable,
as it is *very* confusing to run auditctl -R manually and get no errors
when there is an
error in rules parsing. It forces the user to always run "auditctl -R" and
"auditctl -l" to check
if the rules are indeed active, which is not intuitive at all. Regarding
the initscript use case,
I think it's also very common to use "auditctl -R" while creating new audit
rules.

On Wed, Mar 10, 2021 at 4:06 PM Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, March 10, 2021 5:53:42 AM EST Alan Evangelista wrote:
> > OM> Not sure if this is it, but there is a "-" missing before the "S"
> > before "renameat2".
> >
> > This was indeed the issue. I found our that was the issue when I ran
> > "auditctl -l". Thank you.
> >
> > Is there any reason why augenrules
>
> It has no idea about the rules, it simply compiles the master list.
>
> > and auditctl -R don't print errors to stdout when rules parsing errors
> > occur?
>
> If it's detected that the rules are in a file, they get sent to syslog
> because
> 99.99% of the time, this is system boot or initscripts and we need to make
> the problem discoverable later by the system admin.
>
> -Steve
>
>
>