From: Steve Grubb <sgrubb@redhat.com>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: augenrules --load
Date: Tue, 22 Sep 2020 13:06:00 -0400 [thread overview]
Message-ID: <4590690.31r3eYUQgx@x2> (raw)
In-Reply-To: <738651663.5183625.1600783983768@mail.yahoo.com>
Hello,
This email is formatted very badly. I will try to answer it.
On Tuesday, September 22, 2020 10:13:03 AM EDT Joe Wulf wrote:
> When building a new RHEL v7.8 VM manually, I set up the rules desired in
> /etc/audit/rulesd/audit.rules, no other changes (because I've wanted to
> narrow down the issue). After subsequent reboots, with no further changes
> to any audit rules either; I monitor /var/log/messages and I see
> occurrences like this: Sep 22 09:04:24 hostxyz augenrules:
> /sbin/augenrules: No change
This is normal.
> Sep 22 09:04:24 hostxyz augenrules: No rulesSep 22 09:04:24 hostxyz
> augenrules: enabled 1Sep 22 09:04:24 hostxyz augenrules: failure 1Sep 22
> 09:04:24 hostxyz augenrules: pid 1242Sep 22 09:04:24 hostxyz augenrules:
> rate_limit 0Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384Sep 22
> 09:04:24 hostxyz augenrules: lost 56Sep 22 09:04:24 hostxyz augenrules:
> backlog 1Sep 22 09:04:24 hostxyz augenrules: enabled 1Sep 22 09:04:24
> hostxyz augenrules: failure 2Sep 22 09:04:24 hostxyz augenrules: pid
> 1242Sep 22 09:04:24 hostxyz augenrules: rate_limit 0Sep 22 09:04:24
> hostxyz augenrules: backlog_limit 16384Sep 22 09:04:24 hostxyz augenrules:
> lost 56Sep 22 09:04:24 hostxyz augenrules: backlog 0Sep 22 09:04:24
> hostxyz augenrules: usage: auditctl [options]Sep 22 09:04:24 hostxyz
> augenrules: -a <l,a> Append rule to end of <l>ist with
> <a>ctionSep 22 09:04:24 hostxyz augenrules: -A <l,a> Add rule
> at beginning of <l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules: -b
> <backlog> Set max number of outstanding audit buffersSep 22
> 09:04:24 hostxyz augenrules: allowed Default=64Sep 22 09:04:24 hostxyz
> augenrules: -c Continue through errors in rulesSep 22
> 09:04:24 hostxyz augenrules: -C f=f Compare collected fields
> if available:Sep 22 09:04:24 hostxyz augenrules: Field name,
> operator(=,!=), field nameSep 22 09:04:24 hostxyz augenrules: -d
> <l,a> Delete rule from <l>ist with <a>ctionSep 22 09:04:24
> hostxyz augenrules: l=task,exit,user,excludeSep 22 09:04:24 hostxyz
> augenrules: a=never,alwaysSep 22 09:04:24 hostxyz augenrules:
> -D Delete all rules and watchesSep 22 09:04:24 hostxyz
> augenrules: -e [0..2] Set enabled flagSep 22 09:04:24 hostxyz
> augenrules: -f [0..2] Set failure flagSep 22 09:04:24 hostxyz
> augenrules: 0=silent 1=printk 2=panicSep 22 09:04:24 hostxyz augenrules:
> -F f=v Build rule: field name, operator(=,!=,<,>,<=,Sep 22
> 09:04:24 hostxyz augenrules: >=,&,&=) valueSep 22 09:04:24 hostxyz
> augenrules: -h HelpSep 22 09:04:24 hostxyz augenrules:
> -i Ignore errors when reading rules from fileSep 22
> 09:04:24 hostxyz augenrules: -k <key> Set filter key on audit
> ruleSep 22 09:04:24 hostxyz augenrules: -l List rulesSep
> 22 09:04:24 hostxyz augenrules: -m text Send a user-space
> messageSep 22 09:04:24 hostxyz augenrules: -p [r|w|x|a] Set
> permissions filter on watchSep 22 09:04:24 hostxyz augenrules: r=read,
> w=write, x=execute, a=attributeSep 22 09:04:24 hostxyz augenrules: -q
> <mount,subtree> make subtree part of mount point's dir watchesSep 22
> 09:04:24 hostxyz augenrules: -r <rate> Set limit in messages/sec
> (0=none)Sep 22 09:04:24 hostxyz augenrules: -R <file> read rules
> from fileSep 22 09:04:24 hostxyz augenrules: -s Report
> statusSep 22 09:04:24 hostxyz augenrules: -S syscall Build rule:
> syscall name or numberSep 22 09:04:24 hostxyz augenrules:
> -t Trim directory watchesSep 22 09:04:24 hostxyz
> augenrules: -v VersionSep 22 09:04:24 hostxyz augenrules:
> -w <path> Insert watch at <path>Sep 22 09:04:24 hostxyz
> augenrules: -W <path> Remove watch at <path>Sep 22 09:04:24
> hostxyz augenrules: --loginuid-immutable Make loginuids unchangeable once
> setSep 22 09:04:24 hostxyz augenrules: --reset-lost Reset the lost
> record counterSep 22 09:04:24 hostxyz systemd: Started Security Auditing
> Service. The 'usage' of auditctl is invoked the one time in the 'try_load'
> function of augenrules. Manual executions of "/sbin/auditctl -R
> /etc/audit/audit.rules', results in essentially the same behavior on the
> terminal as found in /var/log/messages. Should execution of augenrules
> seemingly error-out on invocation of auditctl like this?
It should be telling you which line it didn't like. That is unless you have a
"-h" in the rules. Or an option that doesn't match. You should look over the
rules carefully. Something in there is a typo.
I revised the error message for unmatched options to print the line number
instead of usage.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2020-09-22 17:06 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <738651663.5183625.1600783983768.ref@mail.yahoo.com>
2020-09-22 14:13 ` augenrules --load Joe Wulf
2020-09-22 17:06 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4590690.31r3eYUQgx@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox