renameat2 syscall is not recorded
Alan Evangelista
alan.vitor at gmail.com
Thu Mar 11 10:31:06 UTC 2021
AE> Is there any reason why (...) auditctl -R don't print errors to stdout
when rules parsing errors occur?
SG> If it's detected that the rules are in a file, they get sent to syslog
because
> 99.99% of the time, this is system boot or initscripts and we need
to make
> the problem discoverable later by the system admin.
I assume you meant "if it's detected that there are errors in the rules in
a rules file".
IMHO the stream to which errors are output (syslog or stdout) should be
configurable,
as it is *very* confusing to run auditctl -R manually and get no errors
when there is an
error in rules parsing. It forces the user to always run "auditctl -R" and
"auditctl -l" to check
if the rules are indeed active, which is not intuitive at all. Regarding
the initscript use case,
I think it's also very common to use "auditctl -R" while creating new audit
rules.
On Wed, Mar 10, 2021 at 4:06 PM Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday, March 10, 2021 5:53:42 AM EST Alan Evangelista wrote:
> > OM> Not sure if this is it, but there is a "-" missing before the "S"
> > before "renameat2".
> >
> > This was indeed the issue. I found our that was the issue when I ran
> > "auditctl -l". Thank you.
> >
> > Is there any reason why augenrules
>
> It has no idea about the rules, it simply compiles the master list.
>
> > and auditctl -R don't print errors to stdout when rules parsing errors
> > occur?
>
> If it's detected that the rules are in a file, they get sent to syslog
> because
> 99.99% of the time, this is system boot or initscripts and we need to make
> the problem discoverable later by the system admin.
>
> -Steve
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20210311/aadff99a/attachment.htm>
More information about the Linux-audit
mailing list