On Monday, November 13, 2017 8:12:44 PM EST warron.french wrote: > So, I wonder why I am having a problem on lone #65 then.
Because it's a duplicate of 58. > Or does the error actually mean after line 65? Nope. It means 65. Just delete one or the other and you should be fine. -Steve > On Mon, Nov 13, 2017 at 3:12 PM, Steve Grubb <sgr...@redhat.com> wrote: > > On Friday, November 10, 2017 1:32:34 PM EST warron.french wrote: > > > Steve, can you help me with this please? > > > Somehow this slipped past our QA process, but I have an error popping up > > > > in > > > > > */var/log/boot.log* indicating: > > > *28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M > > > > > > * 29* Error sending add rule data request (Rule exists) > > > > > > *30 *There was an error in line 65 of /etc/audit/audit.rules > > > > > > Lines 28-30 are the only range of line numbers indicating a problem in > > > > the > > > > > boot.log. > > > > > > I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system) > > > > > > below (with line numbers included for navigation): > > > 1 # This file managed by puppet module: osconfig_eita_mgmt > > > > > > 2 # DO NOT ALTER outside of the Puppet Framework. > > > 3 # > > > 4 # > > > 5 # First rule - delete all > > > 6 -D > > > 7 # Increase the buffers to survive stress events. > > > 8 # Make this bigger for busy systems > > > 9 -b 8192 > > > > > > 10 # PANIC on audit failure > > > 11 -f 2 > > > 12 # > > > 13 # ACTION (-a) Rules > > > 14 # Filters out noisy cron related messages > > > 15 -a never,user -F subj_type=crond_t > > > 16 # > > > 17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k > > > > > > time-change > > > > > > 18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S > > > > > > clock_settime -k audit_time_rules > > > > > > 19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod > > > 20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 > > > > -k > > > > > perm_mod > > > > > > 21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0 > > > > -k > > > > > perm_mod > > > > > > 22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F > > > > auid>=500 > > > > > -F auid!=4294967295 -k perm_mod > > > > > > 23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod > > > 24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 > > > > -k > > > > > perm_mod > > > > > > 25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown > > > > -F > > > > > auid=0 -k perm_mod > > > > > > 26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown > > > > -F > > > > > auid>=500 -F auid!=4294967295 -k perm_mod > > > > > > 27 -a always,exit -F arch=b32 -S clock_settime -k time-change > > > 28 -a always,exit -F arch=b32 -S creat -S open -S openat -S > > > > > > open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 > > > > -F > > > > > auid!=4294967295 -k access > > > > > > 29 -a always,exit -F arch=b32 -S creat -S open -S openat -S > > > > > > open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 > > > -F > > > auid!=4294967295 -k access > > > > > > 30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S > > > > > > ftruncate -F exit=-EACCES -F auid=0 -k access > > > > > > 31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S > > > > > > ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access > > > > > > 32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S > > > > > > ftruncate -F exit=-EPERM -F auid=0 -k access > > > > > > 33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S > > > > > > ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access > > > > > > 34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod > > > 35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F > > > > auid!=4294967295 > > > > > -k perm_mod > > > > > > 36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod > > > 37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F > > > auid!=4294967295 > > > > > > -k perm_mod > > > > > > 38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod > > > 39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F > > > > auid!=4294967295 > > > > > -k perm_mod > > > > > > 40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod > > > 41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F > > > auid!=4294967295 > > > > > > -k perm_mod > > > > > > 42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod > > > 43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F > > > > > > auid!=4294967295 -k perm_mod > > > > > > 44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod > > > 45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F > > > > > > auid!=4294967295 -k perm_mod > > > > > > 46 -a always,exit -F arch=b32 -S init_module -S delete_module -k > > > modules > > > 47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod > > > 48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F > > > auid!=4294967295 > > > > > > -k perm_mod > > > > > > 49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod > > > 50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F > > > > > > auid!=4294967295 -k perm_mod > > > > > > 51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod > > > 52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F > > > > > > auid!=4294967295 -k perm_mod > > > > > > 53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export > > > 54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 > > > > -k > > > > > export > > > > > > 55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod > > > 56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F > > > > > > auid!=4294967295 -k perm_mod > > > > > > 57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename > > > > -S > > > > > renameat -F auid=0 -k delete > > > > > > 58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename > > > > -S > > > > > renameat -F auid>=500 -F auid!=4294967295 -k delete > > > > > > 59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k > > > > > > audit_network_modifications > > > > > > 60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k > > > > > > system-locale > > > > > > 61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod > > > 62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F > > > > auid!=4294967295 > > > > > -k perm_mod > > > > > > 63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S > > > > > > removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod > > > > > > 64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S > > > > > > removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F > > > auid!=4294967295 -k perm_mod > > > > > > 65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename > > > > -S > > > > > renameat -F auid>=500 -F auid!=4294967295 -k delete > > > > > > I noticed that lines 58 and 65 seem to be "duplicates" although the > > > > syntax > > > > > has some elements swapped. > > > > > > So, what I don't understand is why is line #58 OK, if line #65 is not? > > > > Both have correct syntax. > > > > > Are lines of "duplicate syntax" not legal? > > > > Nope. The kernel prevents multiple copies of the same rule. Even though > > the > > syscalls are in a different order, fundamentally they are the same. The > > syscalls get mapped into a bit mask and that is what is sent to the > > kernel. > > So, the syscalls can be in complete reverse order but will result in the > > same > > bit mask. > > > > -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit