* Duplicate settings? @ 2020-01-20 14:24 Leam Hall 2020-01-20 14:37 ` Steve Grubb 0 siblings, 1 reply; 9+ messages in thread From: Leam Hall @ 2020-01-20 14:24 UTC (permalink / raw) To: linux-audit If /etc/audit/auditd.conf encounters conflicting duplicate settings, what happens? Takes the first, takes the last, or what? For example: space_left = 25 space_left = 100 Thanks! ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings? 2020-01-20 14:24 Duplicate settings? Leam Hall @ 2020-01-20 14:37 ` Steve Grubb 2020-01-20 15:00 ` Leam Hall 2020-01-20 15:04 ` Leam Hall 0 siblings, 2 replies; 9+ messages in thread From: Steve Grubb @ 2020-01-20 14:37 UTC (permalink / raw) To: linux-audit; +Cc: Leam Hall On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote: > If /etc/audit/auditd.conf encounters conflicting duplicate settings, > what happens? Takes the first, takes the last, or what? For example: > > space_left = 25 > space_left = 100 It overwrites the first value with the second one. You can also run: # service auditd state to see what the current value is if your audit daemon is somewhat recent. -Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings? 2020-01-20 14:37 ` Steve Grubb @ 2020-01-20 15:00 ` Leam Hall 2020-01-20 15:23 ` Steve Grubb 2020-01-20 15:04 ` Leam Hall 1 sibling, 1 reply; 9+ messages in thread From: Leam Hall @ 2020-01-20 15:00 UTC (permalink / raw) To: linux-audit On 1/20/20 9:37 AM, Steve Grubb wrote: > On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote: >> If /etc/audit/auditd.conf encounters conflicting duplicate settings, >> what happens? Takes the first, takes the last, or what? For example: >> >> space_left = 25 >> space_left = 100 > > It overwrites the first value with the second one. You can also run: > > # service auditd state > > to see what the current value is if your audit daemon is somewhat recent. Hey Steve, thanks! We're on the default RHEL/CentOS 7 auditd, and "state" doesn't show space_left. Leam ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings? 2020-01-20 15:00 ` Leam Hall @ 2020-01-20 15:23 ` Steve Grubb 0 siblings, 0 replies; 9+ messages in thread From: Steve Grubb @ 2020-01-20 15:23 UTC (permalink / raw) To: linux-audit; +Cc: Leam Hall On Monday, January 20, 2020 10:00:06 AM EST Leam Hall wrote: > On 1/20/20 9:37 AM, Steve Grubb wrote: > > On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote: > >> If /etc/audit/auditd.conf encounters conflicting duplicate settings, > >> > >> what happens? Takes the first, takes the last, or what? For example: > >> space_left = 25 > >> space_left = 100 > > > > It overwrites the first value with the second one. You can also run: > > > > # service auditd state > > > > to see what the current value is if your audit daemon is somewhat recent. > > Hey Steve, thanks! We're on the default RHEL/CentOS 7 auditd, and > "state" doesn't show space_left. 2.8.5 and later should have it. You have to be in daemon mode and write_logs enabled. -Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings? 2020-01-20 14:37 ` Steve Grubb 2020-01-20 15:00 ` Leam Hall @ 2020-01-20 15:04 ` Leam Hall 2020-01-20 15:14 ` Steve Grubb 1 sibling, 1 reply; 9+ messages in thread From: Leam Hall @ 2020-01-20 15:04 UTC (permalink / raw) To: linux-audit On 1/20/20 9:37 AM, Steve Grubb wrote: > On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote: >> If /etc/audit/auditd.conf encounters conflicting duplicate settings, >> what happens? Takes the first, takes the last, or what? For example: >> >> space_left = 25 >> space_left = 100 > > It overwrites the first value with the second one. You can also run: > > # service auditd state > > to see what the current value is if your audit daemon is somewhat recent. > > -Steve Hey Steve, a follow up. Is the man page for auditd.conf wrong? My auditd failed to start when giving space_left with a '%' sign. space_left This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is starting to run low on disk space. You may also append a percent sign (e.g. 5%) to the number to have the audit daemon calculate the number based on the disk partition size. Thanks! Leam ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings? 2020-01-20 15:04 ` Leam Hall @ 2020-01-20 15:14 ` Steve Grubb 2020-01-20 15:19 ` Leam Hall 0 siblings, 1 reply; 9+ messages in thread From: Steve Grubb @ 2020-01-20 15:14 UTC (permalink / raw) To: linux-audit; +Cc: Leam Hall On Monday, January 20, 2020 10:04:24 AM EST Leam Hall wrote: > On 1/20/20 9:37 AM, Steve Grubb wrote: > > On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote: > >> If /etc/audit/auditd.conf encounters conflicting duplicate settings, > >> what happens? Takes the first, takes the last, or what? For example: > >> > >> space_left = 25 > >> space_left = 100 > > > > It overwrites the first value with the second one. You can also run: > > > > # service auditd state > > > > to see what the current value is if your audit daemon is somewhat recent. > > > > -Steve > > Hey Steve, a follow up. Is the man page for auditd.conf wrong? My auditd > failed to start when giving space_left with a '%' sign. Usually it writes the reason why in syslog. Does it say anything there? -Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings? 2020-01-20 15:14 ` Steve Grubb @ 2020-01-20 15:19 ` Leam Hall 2020-01-20 15:28 ` Steve Grubb 0 siblings, 1 reply; 9+ messages in thread From: Leam Hall @ 2020-01-20 15:19 UTC (permalink / raw) To: linux-audit On 1/20/20 10:14 AM, Steve Grubb wrote: > On Monday, January 20, 2020 10:04:24 AM EST Leam Hall wrote: >> On 1/20/20 9:37 AM, Steve Grubb wrote: >>> On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote: >>>> If /etc/audit/auditd.conf encounters conflicting duplicate settings, >>>> what happens? Takes the first, takes the last, or what? For example: >>>> >>>> space_left = 25 >>>> space_left = 100 >>> >>> It overwrites the first value with the second one. You can also run: >>> >>> # service auditd state >>> >>> to see what the current value is if your audit daemon is somewhat recent. >>> >>> -Steve >> >> Hey Steve, a follow up. Is the man page for auditd.conf wrong? My auditd >> failed to start when giving space_left with a '%' sign. > > Usually it writes the reason why in syslog. Does it say anything there? > > -Steve I don't grok systemd, so here's the whole response: Redirecting to /bin/systemctl status auditd.service ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2020-01-20 09:27:37 EST; 19min ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 2695 ExecStart=/sbin/auditd (code=exited, status=6) Jan 20 09:27:36 leam_c7 systemd[1]: Starting Security Auditing Service... Jan 20 09:27:37 leam_c7 auditd[2695]: Value 25% should only be numbers - line 20 Jan 20 09:27:37 leam_c7 auditd[2695]: The audit daemon is exiting. Jan 20 09:27:37 leam_c7 systemd[1]: auditd.service: control process exited, code=exited status=6 Jan 20 09:27:37 leam_c7 systemd[1]: Failed to start Security Auditing Service. Jan 20 09:27:37 leam_c7 systemd[1]: Unit auditd.service entered failed state. Jan 20 09:27:37 leam_c7 systemd[1]: auditd.service failed. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings? 2020-01-20 15:19 ` Leam Hall @ 2020-01-20 15:28 ` Steve Grubb 2020-01-20 15:38 ` Leam Hall 0 siblings, 1 reply; 9+ messages in thread From: Steve Grubb @ 2020-01-20 15:28 UTC (permalink / raw) To: linux-audit; +Cc: Leam Hall On Monday, January 20, 2020 10:19:59 AM EST Leam Hall wrote: > On 1/20/20 10:14 AM, Steve Grubb wrote: > > On Monday, January 20, 2020 10:04:24 AM EST Leam Hall wrote: > >> On 1/20/20 9:37 AM, Steve Grubb wrote: > >>> On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote: > >>>> If /etc/audit/auditd.conf encounters conflicting duplicate settings, > >>>> what happens? Takes the first, takes the last, or what? For example: > >>>> > >>>> space_left = 25 > >>>> space_left = 100 > >>> > >>> It overwrites the first value with the second one. You can also run: > >>> > >>> # service auditd state > >>> > >>> to see what the current value is if your audit daemon is somewhat > >>> recent. > >> > >> Hey Steve, a follow up. Is the man page for auditd.conf wrong? My auditd > >> failed to start when giving space_left with a '%' sign. > > > > Usually it writes the reason why in syslog. Does it say anything there? > > I don't grok systemd, so here's the whole response: > > Redirecting to /bin/systemctl status auditd.service > ● auditd.service - Security Auditing Service > Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; > vendor preset: enabled) > Active: failed (Result: exit-code) since Mon 2020-01-20 09:27:37 > EST; 19min ago > Docs: man:auditd(8) > https://github.com/linux-audit/audit-documentation > Process: 2695 ExecStart=/sbin/auditd (code=exited, status=6) > > Jan 20 09:27:36 leam_c7 systemd[1]: Starting Security Auditing Service... > Jan 20 09:27:37 leam_c7 auditd[2695]: Value 25% should only be numbers - > line 20 The issue is here ^^^ To use percentages, you have to be on 2.8.5 or later. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Duplicate settings? 2020-01-20 15:28 ` Steve Grubb @ 2020-01-20 15:38 ` Leam Hall 0 siblings, 0 replies; 9+ messages in thread From: Leam Hall @ 2020-01-20 15:38 UTC (permalink / raw) To: linux-audit On 1/20/20 10:28 AM, Steve Grubb wrote: > On Monday, January 20, 2020 10:19:59 AM EST Leam Hall wrote: >> On 1/20/20 10:14 AM, Steve Grubb wrote: >>> On Monday, January 20, 2020 10:04:24 AM EST Leam Hall wrote: >>>> On 1/20/20 9:37 AM, Steve Grubb wrote: >>>>> On Monday, January 20, 2020 9:24:56 AM EST Leam Hall wrote: >>>>>> If /etc/audit/auditd.conf encounters conflicting duplicate settings, >>>>>> what happens? Takes the first, takes the last, or what? For example: >>>>>> >>>>>> space_left = 25 >>>>>> space_left = 100 >>>>> >>>>> It overwrites the first value with the second one. You can also run: >>>>> >>>>> # service auditd state >>>>> >>>>> to see what the current value is if your audit daemon is somewhat >>>>> recent. >>>> >>>> Hey Steve, a follow up. Is the man page for auditd.conf wrong? My auditd >>>> failed to start when giving space_left with a '%' sign. >>> >>> Usually it writes the reason why in syslog. Does it say anything there? >> >> I don't grok systemd, so here's the whole response: >> >> Redirecting to /bin/systemctl status auditd.service >> ● auditd.service - Security Auditing Service >> Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; >> vendor preset: enabled) >> Active: failed (Result: exit-code) since Mon 2020-01-20 09:27:37 >> EST; 19min ago >> Docs: man:auditd(8) >> https://github.com/linux-audit/audit-documentation >> Process: 2695 ExecStart=/sbin/auditd (code=exited, status=6) >> >> Jan 20 09:27:36 leam_c7 systemd[1]: Starting Security Auditing Service... >> Jan 20 09:27:37 leam_c7 auditd[2695]: Value 25% should only be numbers - >> line 20 > > The issue is here ^^^ To use percentages, you have to be on 2.8.5 or later. Ah, gotcha! I was using a rebuildable VM for testing, and hadn't updated. Thanks! Leam -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-01-20 15:38 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-01-20 14:24 Duplicate settings? Leam Hall 2020-01-20 14:37 ` Steve Grubb 2020-01-20 15:00 ` Leam Hall 2020-01-20 15:23 ` Steve Grubb 2020-01-20 15:04 ` Leam Hall 2020-01-20 15:14 ` Steve Grubb 2020-01-20 15:19 ` Leam Hall 2020-01-20 15:28 ` Steve Grubb 2020-01-20 15:38 ` Leam Hall
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox