Problem with syntax?

warron.french warron.french at gmail.com
Fri Nov 10 18:32:34 UTC 2017 

Steve, can you help me with this please?
Somehow this slipped past our QA process, but I have an error popping up in
*/var/log/boot.log* indicating:

 *28* Starting auditd: ^[[60G[^[[0;32m  OK  ^[[0;39m]^M
* 29* Error sending add rule data request (Rule exists)
 *30 *There was an error in line 65 of /etc/audit/audit.rules

Lines 28-30 are the only range of line numbers indicating a problem in the
boot.log.

I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
below (with line numbers included for navigation):
 1 # This file managed by puppet module: osconfig_eita_mgmt
  2 # DO NOT ALTER outside of the Puppet Framework.
  3 #
  4 #
  5 # First rule - delete all
  6 -D
  7 # Increase the buffers to survive stress events.
  8 # Make this bigger for busy systems
  9 -b 8192
 10 # PANIC on audit failure
 11 -f 2
 12 #
 13 # ACTION (-a) Rules
 14 # Filters out noisy cron related messages
 15 -a never,user -F subj_type=crond_t
 16 #
 17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
time-change
 18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
clock_settime -k audit_time_rules
 19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
 20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k
perm_mod
 21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0 -k
perm_mod
 22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500
-F auid!=4294967295 -k perm_mod
 23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
 24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k
perm_mod
 25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid=0 -k perm_mod
 26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=500 -F auid!=4294967295 -k perm_mod
 27 -a always,exit -F arch=b32 -S clock_settime -k time-change
 28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
 29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
 30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid=0 -k access
 31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
 32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid=0 -k access
 33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
 34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
 35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295
-k perm_mod
 36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
 37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295
-k perm_mod
 38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
 39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295
-k perm_mod
 40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
 41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295
-k perm_mod
 42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
 43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
 45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
 47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
 48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295
-k perm_mod
 49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
 50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
 52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
 54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k
export
 55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
 56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
renameat -F auid=0 -k delete
 58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
renameat -F auid>=500 -F auid!=4294967295 -k delete
 59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
audit_network_modifications
 60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
system-locale
 61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
 62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295
-k perm_mod
 63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
 64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
 65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename -S
renameat -F auid>=500 -F auid!=4294967295 -k delete

I noticed that lines 58 and 65 seem to be "duplicates" although the syntax
has some elements swapped.

So, what I don't understand is why is line #58 OK, if line #65 is not?  Are
lines of "duplicate syntax" not legal?


Thanks in advance,
--------------------------
Warron French
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171110/a394c0a9/attachment.htm>

More information about the Linux-audit mailing list