From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Problem with syntax?
Date: Mon, 13 Nov 2017 15:12:15 -0500 [thread overview]
Message-ID: <16606080.Ig7GXE9VV7@x2> (raw)
In-Reply-To: <CAJdJdQnr-yQu8xtizeoYQeHUzwcALJ98i=G-M8Pf20Y0XpDc7Q@mail.gmail.com>
On Friday, November 10, 2017 1:32:34 PM EST warron.french wrote:
> Steve, can you help me with this please?
> Somehow this slipped past our QA process, but I have an error popping up in
> */var/log/boot.log* indicating:
>
> *28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M
> * 29* Error sending add rule data request (Rule exists)
> *30 *There was an error in line 65 of /etc/audit/audit.rules
>
> Lines 28-30 are the only range of line numbers indicating a problem in the
> boot.log.
>
> I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
> below (with line numbers included for navigation):
> 1 # This file managed by puppet module: osconfig_eita_mgmt
> 2 # DO NOT ALTER outside of the Puppet Framework.
> 3 #
> 4 #
> 5 # First rule - delete all
> 6 -D
> 7 # Increase the buffers to survive stress events.
> 8 # Make this bigger for busy systems
> 9 -b 8192
> 10 # PANIC on audit failure
> 11 -f 2
> 12 #
> 13 # ACTION (-a) Rules
> 14 # Filters out noisy cron related messages
> 15 -a never,user -F subj_type=crond_t
> 16 #
> 17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
> time-change
> 18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
> clock_settime -k audit_time_rules
> 19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
> 20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k
> perm_mod
> 21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0 -k
> perm_mod
> 22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500
> -F auid!=4294967295 -k perm_mod
> 23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
> 24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k
> perm_mod
> 25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid=0 -k perm_mod
> 26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=500 -F auid!=4294967295 -k perm_mod
> 27 -a always,exit -F arch=b32 -S clock_settime -k time-change
> 28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
> auid!=4294967295 -k access
> 29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
> auid!=4294967295 -k access
> 30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> ftruncate -F exit=-EACCES -F auid=0 -k access
> 31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
> 32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> ftruncate -F exit=-EPERM -F auid=0 -k access
> 33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
> 34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
> 35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295
> -k perm_mod
> 36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
> 37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295
> -k perm_mod
> 38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
> 39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295
> -k perm_mod
> 40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
> 41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295
> -k perm_mod
> 42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
> 43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
> 44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
> 45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
> 46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
> 47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
> 48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295
> -k perm_mod
> 49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
> 50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
> 51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
> 52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
> 53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
> 54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k
> export
> 55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
> 56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
> 57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
> renameat -F auid=0 -k delete
> 58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
> renameat -F auid>=500 -F auid!=4294967295 -k delete
> 59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> audit_network_modifications
> 60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> system-locale
> 61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
> 62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295
> -k perm_mod
> 63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
> 64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
> 65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename -S
> renameat -F auid>=500 -F auid!=4294967295 -k delete
>
> I noticed that lines 58 and 65 seem to be "duplicates" although the syntax
> has some elements swapped.
>
> So, what I don't understand is why is line #58 OK, if line #65 is not?
Both have correct syntax.
> Are lines of "duplicate syntax" not legal?
Nope. The kernel prevents multiple copies of the same rule. Even though the
syscalls are in a different order, fundamentally they are the same. The
syscalls get mapped into a bit mask and that is what is sent to the kernel.
So, the syscalls can be in complete reverse order but will result in the same
bit mask.
-Steve
next prev parent reply other threads:[~2017-11-13 20:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-10 18:32 Problem with syntax? warron.french
2017-11-13 20:12 ` Steve Grubb [this message]
2017-11-14 1:12 ` warron.french
2017-11-14 1:35 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16606080.Ig7GXE9VV7@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).