Re: No more report of quantity of rules successfully loaded

From: Steve Grubb <sgrubb@redhat.com>
To: Linux Audit <linux-audit@redhat.com>
Subject: Re: No more report of quantity of rules successfully loaded
Date: Wed, 24 May 2023 10:42:04 -0400	[thread overview]
Message-ID: <4811240.GXAFRqVoOG@x2> (raw)
In-Reply-To: <CAJdJdQnpmK3uN7R_CNQs3+HdLKfswgQpqT95+O0_Bawc7zMKHw@mail.gmail.com>

Hello Warron,

On Tuesday, May 23, 2023 7:12:07 PM EDT warron.french wrote:
> Hi, I am running auditd-3.0.7-4 on an Alma Linux v8.8.
> 
> I know that for all of RHEL 6 and RHEL 7 variants that I worked with, to
> include CentOS (not Stream) that after I rebooted a server or restarted the
> auditd service (with -e 1 set) that I would 100% of the time get a report
> in /var/log/messages about the quantity of rules that successfully loaded.

It has never done that unless someone else has a patch they did not send 
upstream.

> I could compare that to my unified rules file
> (/etc/audit/rules.d/Unified.rules - for a reference) and strip out the
> typical for auditd Control rules (-D, -e 1, -f 1, -b, -r, for examples) and
> then assess if I had the full set of files loaded or not.
> 
> With this implementation of auditd, on version 3.0.7-4, I am not getting
> those results anymore.
> Am I looking in the wrong place, because for me this is important
> information?

It has never done that. auditctl -D gives the output of auditctl -s as a 
convenience. But auditctl -s has never reported how many rules are loaded. I 
don't think the kernel has a counter. It has a variable for if any rules are 
loaded, but not the quantity.

> Yes, I know that I can also manually execute "auditctl -l  | wc -l" and get
> that information  too, but I was wondering if this is planned or if I am
> looking in the wrong place, or what to do.

It has never done that and is not planned.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit