Problem with syntax?

linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed

* Problem with syntax?
@ 2017-11-10 18:32 warron.french
  2017-11-13 20:12 ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: warron.french @ 2017-11-10 18:32 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 5776 bytes --]

Steve, can you help me with this please?
Somehow this slipped past our QA process, but I have an error popping up in
*/var/log/boot.log* indicating:

 *28* Starting auditd: ^[[60G[^[[0;32m  OK  ^[[0;39m]^M
* 29* Error sending add rule data request (Rule exists)
 *30 *There was an error in line 65 of /etc/audit/audit.rules

Lines 28-30 are the only range of line numbers indicating a problem in the
boot.log.

I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
below (with line numbers included for navigation):
 1 # This file managed by puppet module: osconfig_eita_mgmt
  2 # DO NOT ALTER outside of the Puppet Framework.
  3 #
  4 #
  5 # First rule - delete all
  6 -D
  7 # Increase the buffers to survive stress events.
  8 # Make this bigger for busy systems
  9 -b 8192
 10 # PANIC on audit failure
 11 -f 2
 12 #
 13 # ACTION (-a) Rules
 14 # Filters out noisy cron related messages
 15 -a never,user -F subj_type=crond_t
 16 #
 17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
time-change
 18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
clock_settime -k audit_time_rules
 19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
 20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k
perm_mod
 21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0 -k
perm_mod
 22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500
-F auid!=4294967295 -k perm_mod
 23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
 24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k
perm_mod
 25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid=0 -k perm_mod
 26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=500 -F auid!=4294967295 -k perm_mod
 27 -a always,exit -F arch=b32 -S clock_settime -k time-change
 28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
 29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
 30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid=0 -k access
 31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
 32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid=0 -k access
 33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
 34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
 35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295
-k perm_mod
 36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
 37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295
-k perm_mod
 38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
 39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295
-k perm_mod
 40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
 41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295
-k perm_mod
 42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
 43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
 45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
 47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
 48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295
-k perm_mod
 49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
 50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
 52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
 54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k
export
 55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
 56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
renameat -F auid=0 -k delete
 58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
renameat -F auid>=500 -F auid!=4294967295 -k delete
 59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
audit_network_modifications
 60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
system-locale
 61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
 62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295
-k perm_mod
 63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
 64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename -S
renameat -F auid>=500 -F auid!=4294967295 -k delete

I noticed that lines 58 and 65 seem to be "duplicates" although the syntax
has some elements swapped.

So, what I don't understand is why is line #58 OK, if line #65 is not?  Are
lines of "duplicate syntax" not legal?


Thanks in advance,
--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 6749 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Problem with syntax?
  2017-11-10 18:32 Problem with syntax? warron.french
@ 2017-11-13 20:12 ` Steve Grubb
  2017-11-14  1:12   ` warron.french
  0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2017-11-13 20:12 UTC (permalink / raw)
  To: linux-audit

On Friday, November 10, 2017 1:32:34 PM EST warron.french wrote:
> Steve, can you help me with this please?
> Somehow this slipped past our QA process, but I have an error popping up in
> */var/log/boot.log* indicating:
> 
>  *28* Starting auditd: ^[[60G[^[[0;32m  OK  ^[[0;39m]^M
> * 29* Error sending add rule data request (Rule exists)
>  *30 *There was an error in line 65 of /etc/audit/audit.rules
> 
> Lines 28-30 are the only range of line numbers indicating a problem in the
> boot.log.
> 
> I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
> below (with line numbers included for navigation):
>  1 # This file managed by puppet module: osconfig_eita_mgmt
>   2 # DO NOT ALTER outside of the Puppet Framework.
>   3 #
>   4 #
>   5 # First rule - delete all
>   6 -D
>   7 # Increase the buffers to survive stress events.
>   8 # Make this bigger for busy systems
>   9 -b 8192
>  10 # PANIC on audit failure
>  11 -f 2
>  12 #
>  13 # ACTION (-a) Rules
>  14 # Filters out noisy cron related messages
>  15 -a never,user -F subj_type=crond_t
>  16 #
>  17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
> time-change
>  18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
> clock_settime -k audit_time_rules
>  19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
>  20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k
> perm_mod
>  21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0 -k
> perm_mod
>  22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500
> -F auid!=4294967295 -k perm_mod
>  23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
>  24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k
> perm_mod
>  25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid=0 -k perm_mod
>  26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=500 -F auid!=4294967295 -k perm_mod
>  27 -a always,exit -F arch=b32 -S clock_settime -k time-change
>  28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
> auid!=4294967295 -k access
>  29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
> auid!=4294967295 -k access
>  30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> ftruncate -F exit=-EACCES -F auid=0 -k access
>  31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
>  32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> ftruncate -F exit=-EPERM -F auid=0 -k access
>  33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
>  34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
>  35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295
> -k perm_mod
>  36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
>  37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295
> -k perm_mod
>  38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
>  39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295
> -k perm_mod
>  40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
>  41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295
> -k perm_mod
>  42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
>  43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
>  44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
>  45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
>  46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
>  47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
>  48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295
> -k perm_mod
>  49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
>  50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
>  51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
>  52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
>  53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
>  54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k
> export
>  55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
>  56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
>  57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
> renameat -F auid=0 -k delete
>  58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
> renameat -F auid>=500 -F auid!=4294967295 -k delete
>  59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> audit_network_modifications
>  60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> system-locale
>  61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
>  62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295
> -k perm_mod
>  63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
>  64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
> auid!=4294967295 -k perm_mod
>  65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename -S
> renameat -F auid>=500 -F auid!=4294967295 -k delete
> 
> I noticed that lines 58 and 65 seem to be "duplicates" although the syntax
> has some elements swapped.
> 
> So, what I don't understand is why is line #58 OK, if line #65 is not?

Both have correct syntax.

> Are lines of "duplicate syntax" not legal?

Nope. The kernel prevents multiple copies of the same rule. Even though the 
syscalls are in a different order, fundamentally they are the same. The 
syscalls get mapped into a bit mask and that is what is sent to the kernel. 
So, the syscalls can be in complete reverse order but will result in the same 
bit mask.

-Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Problem with syntax?
  2017-11-13 20:12 ` Steve Grubb
@ 2017-11-14  1:12   ` warron.french
  2017-11-14  1:35     ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: warron.french @ 2017-11-14  1:12 UTC (permalink / raw)
  To: Steve Grubb, linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 6891 bytes --]

So, I wonder why I am having a problem on lone #65 then.  Or does the error
actually mean after line 65?

Thanks,

--------------------------
Warron French


On Mon, Nov 13, 2017 at 3:12 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Friday, November 10, 2017 1:32:34 PM EST warron.french wrote:
> > Steve, can you help me with this please?
> > Somehow this slipped past our QA process, but I have an error popping up
> in
> > */var/log/boot.log* indicating:
> >
> >  *28* Starting auditd: ^[[60G[^[[0;32m  OK  ^[[0;39m]^M
> > * 29* Error sending add rule data request (Rule exists)
> >  *30 *There was an error in line 65 of /etc/audit/audit.rules
> >
> > Lines 28-30 are the only range of line numbers indicating a problem in
> the
> > boot.log.
> >
> > I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
> > below (with line numbers included for navigation):
> >  1 # This file managed by puppet module: osconfig_eita_mgmt
> >   2 # DO NOT ALTER outside of the Puppet Framework.
> >   3 #
> >   4 #
> >   5 # First rule - delete all
> >   6 -D
> >   7 # Increase the buffers to survive stress events.
> >   8 # Make this bigger for busy systems
> >   9 -b 8192
> >  10 # PANIC on audit failure
> >  11 -f 2
> >  12 #
> >  13 # ACTION (-a) Rules
> >  14 # Filters out noisy cron related messages
> >  15 -a never,user -F subj_type=crond_t
> >  16 #
> >  17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
> > time-change
> >  18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
> > clock_settime -k audit_time_rules
> >  19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
> >  20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295
> -k
> > perm_mod
> >  21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0
> -k
> > perm_mod
> >  22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F
> auid>=500
> > -F auid!=4294967295 -k perm_mod
> >  23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
> >  24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295
> -k
> > perm_mod
> >  25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
> -F
> > auid=0 -k perm_mod
> >  26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
> -F
> > auid>=500 -F auid!=4294967295 -k perm_mod
> >  27 -a always,exit -F arch=b32 -S clock_settime -k time-change
> >  28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
> -F
> > auid!=4294967295 -k access
> >  29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
> > auid!=4294967295 -k access
> >  30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > ftruncate -F exit=-EACCES -F auid=0 -k access
> >  31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
> >  32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > ftruncate -F exit=-EPERM -F auid=0 -k access
> >  33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
> >  34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
> >  35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F
> auid!=4294967295
> > -k perm_mod
> >  36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
> >  37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295
> > -k perm_mod
> >  38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
> >  39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F
> auid!=4294967295
> > -k perm_mod
> >  40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
> >  41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295
> > -k perm_mod
> >  42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
> >  43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
> > auid!=4294967295 -k perm_mod
> >  44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
> >  45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
> > auid!=4294967295 -k perm_mod
> >  46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
> >  47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
> >  48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295
> > -k perm_mod
> >  49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
> >  50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
> > auid!=4294967295 -k perm_mod
> >  51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
> >  52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
> > auid!=4294967295 -k perm_mod
> >  53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
> >  54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295
> -k
> > export
> >  55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
> >  56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
> > auid!=4294967295 -k perm_mod
> >  57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
> -S
> > renameat -F auid=0 -k delete
> >  58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
> -S
> > renameat -F auid>=500 -F auid!=4294967295 -k delete
> >  59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> > audit_network_modifications
> >  60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> > system-locale
> >  61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
> >  62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F
> auid!=4294967295
> > -k perm_mod
> >  63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> > removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
> >  64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> > removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
> > auid!=4294967295 -k perm_mod
> >  65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename
> -S
> > renameat -F auid>=500 -F auid!=4294967295 -k delete
> >
> > I noticed that lines 58 and 65 seem to be "duplicates" although the
> syntax
> > has some elements swapped.
> >
> > So, what I don't understand is why is line #58 OK, if line #65 is not?
>
> Both have correct syntax.
>
> > Are lines of "duplicate syntax" not legal?
>
> Nope. The kernel prevents multiple copies of the same rule. Even though the
> syscalls are in a different order, fundamentally they are the same. The
> syscalls get mapped into a bit mask and that is what is sent to the kernel.
> So, the syscalls can be in complete reverse order but will result in the
> same
> bit mask.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 8464 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Problem with syntax?
  2017-11-14  1:12   ` warron.french
@ 2017-11-14  1:35     ` Steve Grubb
  0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2017-11-14  1:35 UTC (permalink / raw)
  To: warron.french; +Cc: linux-audit

On Monday, November 13, 2017 8:12:44 PM EST warron.french wrote:
> So, I wonder why I am having a problem on lone #65 then.

Because it's a duplicate of 58.

> Or does the error actually mean after line 65?

Nope. It means 65. Just delete one or the other and you should be fine.

-Steve


> On Mon, Nov 13, 2017 at 3:12 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Friday, November 10, 2017 1:32:34 PM EST warron.french wrote:
> > > Steve, can you help me with this please?
> > > Somehow this slipped past our QA process, but I have an error popping up
> > 
> > in
> > 
> > > */var/log/boot.log* indicating:
> > >  *28* Starting auditd: ^[[60G[^[[0;32m  OK  ^[[0;39m]^M
> > > 
> > > * 29* Error sending add rule data request (Rule exists)
> > > 
> > >  *30 *There was an error in line 65 of /etc/audit/audit.rules
> > > 
> > > Lines 28-30 are the only range of line numbers indicating a problem in
> > 
> > the
> > 
> > > boot.log.
> > > 
> > > I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
> > > 
> > > below (with line numbers included for navigation):
> > >  1 # This file managed by puppet module: osconfig_eita_mgmt
> > >  
> > >   2 # DO NOT ALTER outside of the Puppet Framework.
> > >   3 #
> > >   4 #
> > >   5 # First rule - delete all
> > >   6 -D
> > >   7 # Increase the buffers to survive stress events.
> > >   8 # Make this bigger for busy systems
> > >   9 -b 8192
> > >  
> > >  10 # PANIC on audit failure
> > >  11 -f 2
> > >  12 #
> > >  13 # ACTION (-a) Rules
> > >  14 # Filters out noisy cron related messages
> > >  15 -a never,user -F subj_type=crond_t
> > >  16 #
> > >  17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
> > > 
> > > time-change
> > > 
> > >  18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
> > > 
> > > clock_settime -k audit_time_rules
> > > 
> > >  19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
> > >  20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295
> > 
> > -k
> > 
> > > perm_mod
> > > 
> > >  21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0
> > 
> > -k
> > 
> > > perm_mod
> > > 
> > >  22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F
> > 
> > auid>=500
> > 
> > > -F auid!=4294967295 -k perm_mod
> > > 
> > >  23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
> > >  24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295
> > 
> > -k
> > 
> > > perm_mod
> > > 
> > >  25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
> > 
> > -F
> > 
> > > auid=0 -k perm_mod
> > > 
> > >  26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
> > 
> > -F
> > 
> > > auid>=500 -F auid!=4294967295 -k perm_mod
> > > 
> > >  27 -a always,exit -F arch=b32 -S clock_settime -k time-change
> > >  28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > > 
> > > open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
> > 
> > -F
> > 
> > > auid!=4294967295 -k access
> > > 
> > >  29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
> > > 
> > > open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500
> > > -F
> > > auid!=4294967295 -k access
> > > 
> > >  30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > > 
> > > ftruncate -F exit=-EACCES -F auid=0 -k access
> > > 
> > >  31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > > 
> > > ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
> > > 
> > >  32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > > 
> > > ftruncate -F exit=-EPERM -F auid=0 -k access
> > > 
> > >  33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
> > > 
> > > ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
> > > 
> > >  34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
> > >  35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F
> > 
> > auid!=4294967295
> > 
> > > -k perm_mod
> > > 
> > >  36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
> > >  37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F
> > >  auid!=4294967295
> > > 
> > > -k perm_mod
> > > 
> > >  38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
> > >  39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F
> > 
> > auid!=4294967295
> > 
> > > -k perm_mod
> > > 
> > >  40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
> > >  41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F
> > >  auid!=4294967295
> > > 
> > > -k perm_mod
> > > 
> > >  42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
> > >  43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
> > > 
> > > auid!=4294967295 -k perm_mod
> > > 
> > >  44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
> > >  45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
> > > 
> > > auid!=4294967295 -k perm_mod
> > > 
> > >  46 -a always,exit -F arch=b32 -S init_module -S delete_module -k
> > >  modules
> > >  47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
> > >  48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F
> > >  auid!=4294967295
> > > 
> > > -k perm_mod
> > > 
> > >  49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
> > >  50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
> > > 
> > > auid!=4294967295 -k perm_mod
> > > 
> > >  51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
> > >  52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
> > > 
> > > auid!=4294967295 -k perm_mod
> > > 
> > >  53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
> > >  54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295
> > 
> > -k
> > 
> > > export
> > > 
> > >  55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
> > >  56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
> > > 
> > > auid!=4294967295 -k perm_mod
> > > 
> > >  57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
> > 
> > -S
> > 
> > > renameat -F auid=0 -k delete
> > > 
> > >  58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
> > 
> > -S
> > 
> > > renameat -F auid>=500 -F auid!=4294967295 -k delete
> > > 
> > >  59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> > > 
> > > audit_network_modifications
> > > 
> > >  60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
> > > 
> > > system-locale
> > > 
> > >  61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
> > >  62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F
> > 
> > auid!=4294967295
> > 
> > > -k perm_mod
> > > 
> > >  63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> > > 
> > > removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
> > > 
> > >  64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> > > 
> > > removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
> > > auid!=4294967295 -k perm_mod
> > > 
> > >  65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename
> > 
> > -S
> > 
> > > renameat -F auid>=500 -F auid!=4294967295 -k delete
> > > 
> > > I noticed that lines 58 and 65 seem to be "duplicates" although the
> > 
> > syntax
> > 
> > > has some elements swapped.
> > > 
> > > So, what I don't understand is why is line #58 OK, if line #65 is not?
> > 
> > Both have correct syntax.
> > 
> > > Are lines of "duplicate syntax" not legal?
> > 
> > Nope. The kernel prevents multiple copies of the same rule. Even though
> > the
> > syscalls are in a different order, fundamentally they are the same. The
> > syscalls get mapped into a bit mask and that is what is sent to the
> > kernel.
> > So, the syscalls can be in complete reverse order but will result in the
> > same
> > bit mask.
> > 
> > -Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-11-14  1:35 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-10 18:32 Problem with syntax? warron.french
2017-11-13 20:12 ` Steve Grubb
2017-11-14  1:12   ` warron.french
2017-11-14  1:35     ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).