"Error sending add rule request" using 1.5.4

"Error sending add rule request" using 1.5.4

[Brennan, William C]

[-- Attachment #1.1: Type: text/plain, Size: 1160 bytes --]

I'm attempting to use the auditd package (1.5.4) as supplied downstream
in the Ubuntu distribution.  I'm encountering a problem (as a few others
are as well, Ubuntu bug #140784) in that we can't get auditctl to
successfully handle any new rules.  For me, this version of auditd has
not worked at all.  I'm only newly acquainted with auditd, so this has
been my only experience.

 

For example, entering at the command line (taken from the man page):

 

  auditctl -a exit,always -S open -F success!=0 

 

results in the response

 

  Error sending add rule request (Invalid argument)

 

I tried adding other possible rules via auditctl, and all attempts cause
this response.

 

Apparently no one using Red Hat is having this problem (i.e., no
complaints on this list), which suggests that perhaps the problem is a
package dependency problem within Ubuntu, but that's just a guess.

 

Can someone offer any help or suggestions as to what may be causing this
problem for Ubuntu users, and what we might do to fix it?  (I also tried
updating to version 1.6.4, which also failed the same way.)

 

Thanks for any light you can shed!

 

-- Bill Brennan

 


[-- Attachment #1.2: Type: text/html, Size: 5108 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: "Error sending add rule request" using 1.5.4

[Steve Grubb]

On Wednesday 09 January 2008 14:01:39 Brennan, William C wrote:
> I'm attempting to use the auditd package (1.5.4) as supplied downstream
> in the Ubuntu distribution.  I'm encountering a problem (as a few others
> are as well, Ubuntu bug #140784) in that we can't get auditctl to
> successfully handle any new rules.  For me, this version of auditd has
> not worked at all.

I'd start with asking if the kernel supports auditing. Auditctl has no 
dependencies on anything in userspace aside from a normal glibc.

-Steve

Re: "Error sending add rule request" using 1.5.4

[Mathias Gug]

On Wed, Jan 09, 2008 at 02:13:57PM -0500, Steve Grubb wrote:
> On Wednesday 09 January 2008 14:01:39 Brennan, William C wrote:
> I'd start with asking if the kernel supports auditing. Auditctl has no 
> dependencies on anything in userspace aside from a normal glibc.
> 

The kernel configuration is the following:

~$ grep -i audit /boot/config-2.6.22-14-generic 
CONFIG_AUDIT=y
# CONFIG_AUDITSYSCALL is not set
CONFIG_AUDIT_ARCH=y

Is there another option that should be set ?

--
Mathias

Re: "Error sending add rule request" using 1.5.4

[Steve Grubb]

On Wednesday 09 January 2008 14:37:29 Mathias Gug wrote:
> On Wed, Jan 09, 2008 at 02:13:57PM -0500, Steve Grubb wrote:
> > On Wednesday 09 January 2008 14:01:39 Brennan, William C wrote:
> > I'd start with asking if the kernel supports auditing. Auditctl has no
> > dependencies on anything in userspace aside from a normal glibc.
>
> The kernel configuration is the following:
>
> ~$ grep -i audit /boot/config-2.6.22-14-generic
> CONFIG_AUDIT=y
> # CONFIG_AUDITSYSCALL is not set

^^^^^^^ Set this

> CONFIG_AUDIT_ARCH=y
>
> Is there another option that should be set ?

-Steve

RE: "Error sending add rule request" using 1.5.4

[Brennan, William C]

Okay, so I edited the kernal configuration to enable system call
auditing, as suggested in the posting by Steve Grubb. Then I recompiled
the kernel and installed it.

To my delight, the problems went away and "auditctl" now seems to work.

Thanks Steve!

-- Bill