Steve, can you help me with this please? Somehow this slipped past our QA process, but I have an error popping up in */var/log/boot.log* indicating:
*28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M * 29* Error sending add rule data request (Rule exists) *30 *There was an error in line 65 of /etc/audit/audit.rules Lines 28-30 are the only range of line numbers indicating a problem in the boot.log. I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system) below (with line numbers included for navigation): 1 # This file managed by puppet module: osconfig_eita_mgmt 2 # DO NOT ALTER outside of the Puppet Framework. 3 # 4 # 5 # First rule - delete all 6 -D 7 # Increase the buffers to survive stress events. 8 # Make this bigger for busy systems 9 -b 8192 10 # PANIC on audit failure 11 -f 2 12 # 13 # ACTION (-a) Rules 14 # Filters out noisy cron related messages 15 -a never,user -F subj_type=crond_t 16 # 17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change 18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S clock_settime -k audit_time_rules 19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod 20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod 21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0 -k perm_mod 22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod 24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod 25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid=0 -k perm_mod 26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 27 -a always,exit -F arch=b32 -S clock_settime -k time-change 28 -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 29 -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access 31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access 33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod 35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod 37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod 38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod 39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod 40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod 41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod 42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod 43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod 45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod 46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules 47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod 48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod 50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod 52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod 53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export 54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export 55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod 56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete 58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications 60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod 62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod 63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod 64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete I noticed that lines 58 and 65 seem to be "duplicates" although the syntax has some elements swapped. So, what I don't understand is why is line #58 OK, if line #65 is not? Are lines of "duplicate syntax" not legal? Thanks in advance, -------------------------- Warron French
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
