operation not supported on filtering

Vincent Fiset vfiset at gmail.com
Tue Dec 4 14:26:29 UTC 2018 

$ zgrep -i audi /proc/config.gz
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_KVM_MMU_AUDIT is not set
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set


> > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> > > I got a minimal audit.rules file containing:
> > >
> > >     # cat -n /etc/audit/audit.rules
> > >     1  -D
> > >     2
> > >     3  -b 8192
> > >     4
> > >     5  -e 0
> >
> > Why are you ^^^ disabling the audit system? You may want to try commenting
> > that out.
>
> I tired to add that to make sure it was not preventing me to add the
> filters on msgtype. Normally I use `-e 1`
>
> >
> > >     7  -a always,exclude -F msgtype=CWD
> > >     8
> > >     9  -w /etc/sysctl.conf -p wa -k sysctl
> > >
> > > When I restart auditd I get:
> > >
> > >     # /etc/init.d/auditd restart
> > >     Restarting audit daemon: auditd Error sending add rule request
> > > (Operation not supported)
> > >     There was an error in line 7 of /etc/audit/audit.rules
> > >      failed!
> > >
> > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > > popular in example all over the internet. I don't understand why I get the
> > > error.
> > >
> > > I use auditd `1:1.7.18-1.1` on debian 7
> > >
> > > What should I do to make this filter work?
> >
> > Support for msgtype on the exclude filter goes all the way back to 2005. So,
> > it should work unless the kernel was built without audit full support. It
> > might also be that if the audit system is disabled, it won't load rules. So,
> > I'd try that. The code is very old and behaviors have changed over the years
> > (both kernel and user space).
>
> Thanks for the input on that I will try to figure out how to determine
> if it was built with audit full support. Any tips on how to achieve
> that are welcome.

here are the flags that I see in proc/config:

$ zgrep -i audi /proc/config.gz
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_KVM_MMU_AUDIT is not set
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set

At this point I am unsure if it's all needed to claim it was built
with audit full support. Anything else I should check?
On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset <vfiset at gmail.com> wrote:
>
> > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> > > I got a minimal audit.rules file containing:
> > >
> > >     # cat -n /etc/audit/audit.rules
> > >     1  -D
> > >     2
> > >     3  -b 8192
> > >     4
> > >     5  -e 0
> >
> > Why are you ^^^ disabling the audit system? You may want to try commenting
> > that out.
>
> I tired to add that to make sure it was not preventing me to add the
> filters on msgtype. Normally I use `-e 1`
>
> >
> > >     7  -a always,exclude -F msgtype=CWD
> > >     8
> > >     9  -w /etc/sysctl.conf -p wa -k sysctl
> > >
> > > When I restart auditd I get:
> > >
> > >     # /etc/init.d/auditd restart
> > >     Restarting audit daemon: auditd Error sending add rule request
> > > (Operation not supported)
> > >     There was an error in line 7 of /etc/audit/audit.rules
> > >      failed!
> > >
> > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > > popular in example all over the internet. I don't understand why I get the
> > > error.
> > >
> > > I use auditd `1:1.7.18-1.1` on debian 7
> > >
> > > What should I do to make this filter work?
> >
> > Support for msgtype on the exclude filter goes all the way back to 2005. So,
> > it should work unless the kernel was built without audit full support. It
> > might also be that if the audit system is disabled, it won't load rules. So,
> > I'd try that. The code is very old and behaviors have changed over the years
> > (both kernel and user space).
>
> Thanks for the input on that I will try to figure out how to determine
> if it was built with audit full support. Any tips on how to achieve
> that are welcome.



-- 
/VF

More information about the Linux-audit mailing list