All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: Linux Audit <linux-audit@redhat.com>
Subject: Re: augenrules: -F missing operation for -k
Date: Thu, 20 May 2021 14:38:30 -0400	[thread overview]
Message-ID: <11753387.O9o76ZdvQC@x2> (raw)
In-Reply-To: <2102583.irdbgypaU6@x2>

Hello,

On Thursday, May 20, 2021 12:08:56 PM EDT Steve Grubb wrote:
> On Thursday, May 20, 2021 10:56:00 AM EDT warron.french wrote:
> > Does anybody know what this error means?
> > augenrules: -F missing operation for -k
> > 
> > I cannot figure out what rule is causing this, so I need a little
> > more context to figure out what to look for in my *.rules files under
> > /etc/audit/rules.d.
> 
> It means there is no value associated with a -F name=value construct.

Actually, I misspoke. In the name=vale portion, it didn't find the '=' where 
one was expected. Since it mentions '-k', you might be mixing watch syntax 
with syscall syntax.  -k keyname is valid with watches.  For syscalls its -F 
key=keyname.

-Steve

> I am thinking syslog should have the line number in the rules where this
> comes from.  Do you a -k some where that doesn't look right?




--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


  reply	other threads:[~2021-05-20 18:38 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-20 14:56 augenrules: -F missing operation for -k warron.french
2021-05-20 16:08 ` Steve Grubb
2021-05-20 18:38   ` Steve Grubb [this message]
2021-05-26 13:41     ` warron.french

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=11753387.O9o76ZdvQC@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.