From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Brennan, William C" Subject: "Error sending add rule request" using 1.5.4 Date: Wed, 09 Jan 2008 14:01:39 -0500 Message-ID: <249DC7180F301445BCA2E01EAAFDF40908C47636@emss04m05.us.lmco.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1085963359==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m09J4e6h015674 for ; Wed, 9 Jan 2008 14:04:40 -0500 Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m09J48i4007785 for ; Wed, 9 Jan 2008 14:04:08 -0500 Received: from emss01g01.ems.lmco.com (relay1.ems.lmco.com [137.249.139.141])by mailgw2a.lmco.com (LM-6) with ESMTP id m09J0AUa015306for ; Wed, 9 Jan 2008 14:04:08 -0500 (EST) Received: from CONVERSION2-DAEMON.lmco.com by lmco.com (PMDF V6.3-x14 #31428) id <0JUE004014V966@lmco.com> for linux-audit@redhat.com; Wed, 09 Jan 2008 11:01:57 -0800 (PST) Received: from EMSS04I00.us.lmco.com ([166.17.13.135]) by lmco.com (PMDF V6.3-x14 #31428) with ESMTP id <0JUE00A474USOV@lmco.com> for linux-audit@redhat.com; Wed, 09 Jan 2008 11:01:52 -0800 (PST) Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============1085963359== Content-type: multipart/alternative; boundary="Boundary_(ID_yLUy/R/o/Kedp18BEAwZZg)" Content-class: urn:content-classes:message This is a multi-part message in MIME format. --Boundary_(ID_yLUy/R/o/Kedp18BEAwZZg) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT I'm attempting to use the auditd package (1.5.4) as supplied downstream in the Ubuntu distribution. I'm encountering a problem (as a few others are as well, Ubuntu bug #140784) in that we can't get auditctl to successfully handle any new rules. For me, this version of auditd has not worked at all. I'm only newly acquainted with auditd, so this has been my only experience. For example, entering at the command line (taken from the man page): auditctl -a exit,always -S open -F success!=0 results in the response Error sending add rule request (Invalid argument) I tried adding other possible rules via auditctl, and all attempts cause this response. Apparently no one using Red Hat is having this problem (i.e., no complaints on this list), which suggests that perhaps the problem is a package dependency problem within Ubuntu, but that's just a guess. Can someone offer any help or suggestions as to what may be causing this problem for Ubuntu users, and what we might do to fix it? (I also tried updating to version 1.6.4, which also failed the same way.) Thanks for any light you can shed! -- Bill Brennan --Boundary_(ID_yLUy/R/o/Kedp18BEAwZZg) Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7BIT

I'm attempting to use the auditd package (1.5.4) as supplied downstream in the Ubuntu distribution.  I'm encountering a problem (as a few others are as well, Ubuntu bug #140784) in that we can't get auditctl to successfully handle any new rules.  For me, this version of auditd has not worked at all.  I’m only newly acquainted with auditd, so this has been my only experience.

 

For example, entering at the command line (taken from the man page):

 

  auditctl -a exit,always -S open -F success!=0

 

results in the response

 

  Error sending add rule request (Invalid argument)

 

I tried adding other possible rules via auditctl, and all attempts cause this response.

 

Apparently no one using Red Hat is having this problem (i.e., no complaints on this list), which suggests that perhaps the problem is a package dependency problem within Ubuntu, but that's just a guess.

 

Can someone offer any help or suggestions as to what may be causing this problem for Ubuntu users, and what we might do to fix it?  (I also tried updating to version 1.6.4, which also failed the same way.)

 

Thanks for any light you can shed!

 

-- Bill Brennan

 

--Boundary_(ID_yLUy/R/o/Kedp18BEAwZZg)-- --===============1085963359== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1085963359==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: "Error sending add rule request" using 1.5.4 Date: Wed, 9 Jan 2008 14:13:57 -0500 Message-ID: <200801091413.58124.sgrubb@redhat.com> References: <249DC7180F301445BCA2E01EAAFDF40908C47636@emss04m05.us.lmco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <249DC7180F301445BCA2E01EAAFDF40908C47636@emss04m05.us.lmco.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday 09 January 2008 14:01:39 Brennan, William C wrote: > I'm attempting to use the auditd package (1.5.4) as supplied downstream > in the Ubuntu distribution. =C2=A0I'm encountering a problem (as a few = others > are as well, Ubuntu bug #140784) in that we can't get auditctl to > successfully handle any new rules. =C2=A0For me, this version of auditd= has > not worked at all. I'd start with asking if the kernel supports auditing. Auditctl has no=20 dependencies on anything in userspace aside from a normal glibc. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mathias Gug Subject: Re: "Error sending add rule request" using 1.5.4 Date: Wed, 9 Jan 2008 14:37:29 -0500 Message-ID: <20080109193728.GC6887@mathiaz.mathiaz.net> References: <249DC7180F301445BCA2E01EAAFDF40908C47636@emss04m05.us.lmco.com> <200801091413.58124.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m09JbhYo006334 for ; Wed, 9 Jan 2008 14:37:43 -0500 Received: from adelie.canonical.com (adelie.canonical.com [91.189.90.139]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m09Jb9f9029655 for ; Wed, 9 Jan 2008 14:37:09 -0500 Received: from [82.211.81.181] (helo=hutte.canonical.com) by adelie.canonical.com with esmtp (Exim 4.60 #1 (Debian)) id 1JCgjX-0004hf-PU for ; Wed, 09 Jan 2008 19:37:03 +0000 Received: from dsl-207-112-70-57.tor.primus.ca ([207.112.70.57] helo=mathiaz) by hutte.canonical.com with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1JCgjX-0006y7-Ig for linux-audit@redhat.com; Wed, 09 Jan 2008 19:37:03 +0000 Content-Disposition: inline In-Reply-To: <200801091413.58124.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wed, Jan 09, 2008 at 02:13:57PM -0500, Steve Grubb wrote: > On Wednesday 09 January 2008 14:01:39 Brennan, William C wrote: > I'd start with asking if the kernel supports auditing. Auditctl has no > dependencies on anything in userspace aside from a normal glibc. > The kernel configuration is the following: ~$ grep -i audit /boot/config-2.6.22-14-generic CONFIG_AUDIT=y # CONFIG_AUDITSYSCALL is not set CONFIG_AUDIT_ARCH=y Is there another option that should be set ? -- Mathias From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: "Error sending add rule request" using 1.5.4 Date: Wed, 9 Jan 2008 15:20:13 -0500 Message-ID: <200801091520.14041.sgrubb@redhat.com> References: <249DC7180F301445BCA2E01EAAFDF40908C47636@emss04m05.us.lmco.com> <200801091413.58124.sgrubb@redhat.com> <20080109193728.GC6887@mathiaz.mathiaz.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20080109193728.GC6887@mathiaz.mathiaz.net> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday 09 January 2008 14:37:29 Mathias Gug wrote: > On Wed, Jan 09, 2008 at 02:13:57PM -0500, Steve Grubb wrote: > > On Wednesday 09 January 2008 14:01:39 Brennan, William C wrote: > > I'd start with asking if the kernel supports auditing. Auditctl has no > > dependencies on anything in userspace aside from a normal glibc. > > The kernel configuration is the following: > > ~$ grep -i audit /boot/config-2.6.22-14-generic > CONFIG_AUDIT=y > # CONFIG_AUDITSYSCALL is not set ^^^^^^^ Set this > CONFIG_AUDIT_ARCH=y > > Is there another option that should be set ? -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Brennan, William C" Subject: RE: "Error sending add rule request" using 1.5.4 Date: Thu, 10 Jan 2008 17:15:28 -0500 Message-ID: <249DC7180F301445BCA2E01EAAFDF40908CE9C9E@emss04m05.us.lmco.com> References: <249DC7180F301445BCA2E01EAAFDF40908C47636@emss04m05.us.lmco.com> <200801091413.58124.sgrubb@redhat.com> <20080109193728.GC6887@mathiaz.mathiaz.net> <200801091520.14041.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7BIT Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m0AMG7HJ029445 for ; Thu, 10 Jan 2008 17:16:07 -0500 Received: from mailgw1a.lmco.com (mailgw1a.lmco.com [192.31.106.7]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m0AMFZD3026940 for ; Thu, 10 Jan 2008 17:15:35 -0500 Received: from emss07g01.ems.lmco.com (relay5.ems.lmco.com [166.29.2.16])by mailgw1a.lmco.com (LM-6) with ESMTP id m0AMElSD028715for ; Thu, 10 Jan 2008 15:14:47 -0700 (MST) Received: from CONVERSION2-DAEMON.lmco.com by lmco.com (PMDF V6.3-x14 #31428) id <0JUG00E018HZ2I@lmco.com> for linux-audit@redhat.com; Thu, 10 Jan 2008 15:15:35 -0700 (MST) Received: from EMSS04I00.us.lmco.com ([166.17.13.135]) by lmco.com (PMDF V6.3-x14 #31428) with ESMTP id <0JUG00LZN8HU5L@lmco.com> for linux-audit@redhat.com; Thu, 10 Jan 2008 15:15:30 -0700 (MST) In-reply-to: <200801091520.14041.sgrubb@redhat.com> Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Okay, so I edited the kernal configuration to enable system call auditing, as suggested in the posting by Steve Grubb. Then I recompiled the kernel and installed it. To my delight, the problems went away and "auditctl" now seems to work. Thanks Steve! -- Bill