From: Steve Grubb <sgrubb@redhat.com>
To: "warron.french" <warron.french@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: Problem with syntax?
Date: Mon, 13 Nov 2017 20:35:36 -0500 [thread overview]
Message-ID: <2392328.eNv5bkhLPz@x2> (raw)
In-Reply-To: <CAJdJdQkCeQNhsU319yxpOqyd-b9bEH+DCcEwtA2GpYqh2TkuHA@mail.gmail.com>
On Monday, November 13, 2017 8:12:44 PM EST warron.french wrote:
> So, I wonder why I am having a problem on lone #65 then.
Because it's a duplicate of 58.
> Or does the error actually mean after line 65?
Nope. It means 65. Just delete one or the other and you should be fine.
-Steve
> On Mon, Nov 13, 2017 at 3:12 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Friday, November 10, 2017 1:32:34 PM EST warron.french wrote:
> > > Steve, can you help me with this please?
> > > Somehow this slipped past our QA process, but I have an error popping up
> >
> > in
> >
> > > */var/log/boot.log* indicating:
> > > *28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M
> > >
> > > * 29* Error sending add rule data request (Rule exists)
> > >
> > > *30 *There was an error in line 65 of /etc/audit/audit.rules
> > >
> > > Lines 28-30 are the only range of line numbers indicating a problem in
> >
> > the
> >
> > > boot.log.
> > >
> > > I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
> > >
> > > below (with line numbers included for navigation):
> > > 1 # This file managed by puppet module: osconfig_eita_mgmt
> > >
> > > 2 # DO NOT ALTER outside of the Puppet Framework.
> > > 3 #
> > > 4 #
> > > 5 # First rule - delete all
> > > 6 -D
> > > 7 # Increase the buffers to survive stress events.
> > > 8 # Make this bigger for busy systems
> > > 9 -b 8192
> > >
> > > 10 # PANIC on audit failure
> > > 11 -f 2
> > > 12 #
> > > 13 # ACTION (-a) Rules
> > > 14 # Filters out noisy cron related messages
> > > 15 -a never,user -F subj_type=crond_t
> > > 16 #
> > > 17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
> > >
> > > time-change
> > >
> > > 18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
> > >
> > > clock_settime -k audit_time_rules
> > >
> > > 19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
> > > 20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295
> >
> > -k
> >
> > > perm_mod
> > >
> > > 21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0
> >
> > -k
> >
> > > perm_mod
> > >
> > > 22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F
> >
> > auid>=500
> >
> > > -F auid!=4294967295 -k perm_mod
> > >
> > > 23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
> > > 24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295
> >
> > -k
> >
> > > perm_mod
> > >
> > > 25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
> >
> > -F
> >
> > > auid=0 -k perm_mod
> > >
> > > 26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
> >
> > -F
> >
> > > auid>=500 -F auid!=4294967295 -k perm_mod
> > >
> > > 27 -a always,exit -F arch=b32 -S clock_settime -k time-change
> > > 28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > >
> > > open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
> >
> > -F
> >
> > > auid!=4294967295 -k access
> > >
> > > 29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > >
> > > open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500
> > > -F
> > > auid!=4294967295 -k access
> > >
> > > 30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > >
> > > ftruncate -F exit=-EACCES -F auid=0 -k access
> > >
> > > 31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > >
> > > ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
> > >
> > > 32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > >
> > > ftruncate -F exit=-EPERM -F auid=0 -k access
> > >
> > > 33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > >
> > > ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
> > >
> > > 34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
> > > 35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F
> >
> > auid!=4294967295
> >
> > > -k perm_mod
> > >
> > > 36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
> > > 37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F
> > > auid!=4294967295
> > >
> > > -k perm_mod
> > >
> > > 38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
> > > 39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F
> >
> > auid!=4294967295
> >
> > > -k perm_mod
> > >
> > > 40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
> > > 41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F
> > > auid!=4294967295
> > >
> > > -k perm_mod
> > >
> > > 42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
> > > 43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
> > >
> > > auid!=4294967295 -k perm_mod
> > >
> > > 44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
> > > 45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
> > >
> > > auid!=4294967295 -k perm_mod
> > >
> > > 46 -a always,exit -F arch=b32 -S init_module -S delete_module -k
> > > modules
> > > 47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
> > > 48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F
> > > auid!=4294967295
> > >
> > > -k perm_mod
> > >
> > > 49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
> > > 50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
> > >
> > > auid!=4294967295 -k perm_mod
> > >
> > > 51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
> > > 52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
> > >
> > > auid!=4294967295 -k perm_mod
> > >
> > > 53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
> > > 54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295
> >
> > -k
> >
> > > export
> > >
> > > 55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
> > > 56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
> > >
> > > auid!=4294967295 -k perm_mod
> > >
> > > 57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
> >
> > -S
> >
> > > renameat -F auid=0 -k delete
> > >
> > > 58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
> >
> > -S
> >
> > > renameat -F auid>=500 -F auid!=4294967295 -k delete
> > >
> > > 59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> > >
> > > audit_network_modifications
> > >
> > > 60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> > >
> > > system-locale
> > >
> > > 61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
> > > 62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F
> >
> > auid!=4294967295
> >
> > > -k perm_mod
> > >
> > > 63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> > >
> > > removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
> > >
> > > 64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> > >
> > > removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
> > > auid!=4294967295 -k perm_mod
> > >
> > > 65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename
> >
> > -S
> >
> > > renameat -F auid>=500 -F auid!=4294967295 -k delete
> > >
> > > I noticed that lines 58 and 65 seem to be "duplicates" although the
> >
> > syntax
> >
> > > has some elements swapped.
> > >
> > > So, what I don't understand is why is line #58 OK, if line #65 is not?
> >
> > Both have correct syntax.
> >
> > > Are lines of "duplicate syntax" not legal?
> >
> > Nope. The kernel prevents multiple copies of the same rule. Even though
> > the
> > syscalls are in a different order, fundamentally they are the same. The
> > syscalls get mapped into a bit mask and that is what is sent to the
> > kernel.
> > So, the syscalls can be in complete reverse order but will result in the
> > same
> > bit mask.
> >
> > -Steve
prev parent reply other threads:[~2017-11-14 1:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-10 18:32 Problem with syntax? warron.french
2017-11-13 20:12 ` Steve Grubb
2017-11-14 1:12 ` warron.french
2017-11-14 1:35 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2392328.eNv5bkhLPz@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=warron.french@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).