From: Steve Grubb <sgrubb@redhat.com>
To: "warron.french" <warron.french@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: Problem with syntax?
Date: Mon, 13 Nov 2017 20:35:36 -0500 [thread overview]
Message-ID: <2392328.eNv5bkhLPz@x2> (raw)
In-Reply-To: <CAJdJdQkCeQNhsU319yxpOqyd-b9bEH+DCcEwtA2GpYqh2TkuHA@mail.gmail.com>
On Monday, November 13, 2017 8:12:44 PM EST warron.french wrote:
> So, I wonder why I am having a problem on lone #65 then.
Because it's a duplicate of 58.
> Or does the error actually mean after line 65?
Nope. It means 65. Just delete one or the other and you should be fine.
-Steve
> On Mon, Nov 13, 2017 at 3:12 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Friday, November 10, 2017 1:32:34 PM EST warron.french wrote:
> > > Steve, can you help me with this please?
> > > Somehow this slipped past our QA process, but I have an error popping up
> >
> > in
> >
> > > */var/log/boot.log* indicating:
> > > *28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M
> > >
> > > * 29* Error sending add rule data request (Rule exists)
> > >
> > > *30 *There was an error in line 65 of /etc/audit/audit.rules
> > >
> > > Lines 28-30 are the only range of line numbers indicating a problem in
> >
> > the
> >
> > > boot.log.
> > >
> > > I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
> > >
> > > below (with line numbers included for navigation):
> > > 1 # This file managed by puppet module: osconfig_eita_mgmt
> > >
> > > 2 # DO NOT ALTER outside of the Puppet Framework.
> > > 3 #
> > > 4 #
> > > 5 # First rule - delete all
> > > 6 -D
> > > 7 # Increase the buffers to survive stress events.
> > > 8 # Make this bigger for busy systems
> > > 9 -b 8192
> > >
> > > 10 # PANIC on audit failure
> > > 11 -f 2
> > > 12 #
> > > 13 # ACTION (-a) Rules
> > > 14 # Filters out noisy cron related messages
> > > 15 -a never,user -F subj_type=crond_t
> > > 16 #
> > > 17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
> > >
> > > time-change
> > >
> > > 18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
> > >
> > > clock_settime -k audit_time_rules
> > >
> > > 19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
> > > 20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295
> >
> > -k
> >
> > > perm_mod
> > >
> > > 21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0
> >
> > -k
> >
> > > perm_mod
> > >
> > > 22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F
> >
> > auid>=500
> >
> > > -F auid!=4294967295 -k perm_mod
> > >
> > > 23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
> > > 24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295
> >
> > -k
> >
> > > perm_mod
> > >
> > > 25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
> >
> > -F
> >
> > > auid=0 -k perm_mod
> > >
> > > 26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
> >
> > -F
> >
> > > auid>=500 -F auid!=4294967295 -k perm_mod
> > >
> > > 27 -a always,exit -F arch=b32 -S clock_settime -k time-change
> > > 28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > >
> > > open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
> >
> > -F
> >
> > > auid!=4294967295 -k access
> > >
> > > 29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > >
> > > open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500
> > > -F
> > > auid!=4294967295 -k access
> > >
> > > 30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > >
> > > ftruncate -F exit=-EACCES -F auid=0 -k access
> > >
> > > 31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > >
> > > ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
> > >
> > > 32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > >
> > > ftruncate -F exit=-EPERM -F auid=0 -k access
> > >
> > > 33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > >
> > > ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
> > >
> > > 34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
> > > 35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F
> >
> > auid!=4294967295
> >
> > > -k perm_mod
> > >
> > > 36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
> > > 37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F
> > > auid!=4294967295
> > >
> > > -k perm_mod
> > >
> > > 38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
> > > 39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F
> >
> > auid!=4294967295
> >
> > > -k perm_mod
> > >
> > > 40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
> > > 41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F
> > > auid!=4294967295
> > >
> > > -k perm_mod
> > >
> > > 42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
> > > 43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
> > >
> > > auid!=4294967295 -k perm_mod
> > >
> > > 44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
> > > 45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
> > >
> > > auid!=4294967295 -k perm_mod
> > >
> > > 46 -a always,exit -F arch=b32 -S init_module -S delete_module -k
> > > modules
> > > 47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
> > > 48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F
> > > auid!=4294967295
> > >
> > > -k perm_mod
> > >
> > > 49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
> > > 50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
> > >
> > > auid!=4294967295 -k perm_mod
> > >
> > > 51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
> > > 52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
> > >
> > > auid!=4294967295 -k perm_mod
> > >
> > > 53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
> > > 54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295
> >
> > -k
> >
> > > export
> > >
> > > 55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
> > > 56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
> > >
> > > auid!=4294967295 -k perm_mod
> > >
> > > 57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
> >
> > -S
> >
> > > renameat -F auid=0 -k delete
> > >
> > > 58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
> >
> > -S
> >
> > > renameat -F auid>=500 -F auid!=4294967295 -k delete
> > >
> > > 59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> > >
> > > audit_network_modifications
> > >
> > > 60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> > >
> > > system-locale
> > >
> > > 61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
> > > 62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F
> >
> > auid!=4294967295
> >
> > > -k perm_mod
> > >
> > > 63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> > >
> > > removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
> > >
> > > 64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> > >
> > > removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
> > > auid!=4294967295 -k perm_mod
> > >
> > > 65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename
> >
> > -S
> >
> > > renameat -F auid>=500 -F auid!=4294967295 -k delete
> > >
> > > I noticed that lines 58 and 65 seem to be "duplicates" although the
> >
> > syntax
> >
> > > has some elements swapped.
> > >
> > > So, what I don't understand is why is line #58 OK, if line #65 is not?
> >
> > Both have correct syntax.
> >
> > > Are lines of "duplicate syntax" not legal?
> >
> > Nope. The kernel prevents multiple copies of the same rule. Even though
> > the
> > syscalls are in a different order, fundamentally they are the same. The
> > syscalls get mapped into a bit mask and that is what is sent to the
> > kernel.
> > So, the syscalls can be in complete reverse order but will result in the
> > same
> > bit mask.
> >
> > -Steve
prev parent reply other threads:[~2017-11-14 1:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-10 18:32 Problem with syntax? warron.french
2017-11-13 20:12 ` Steve Grubb
2017-11-14 1:12 ` warron.french
2017-11-14 1:35 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2392328.eNv5bkhLPz@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=warron.french@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.