> On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > I got a minimal audit.rules file containing: > > > > # cat -n /etc/audit/audit.rules > > 1 -D > > 2 > > 3 -b 8192 > > 4 > > 5 -e 0 > > Why are you ^^^ disabling the audit system? You may want to try commenting > that out.
I tired to add that to make sure it was not preventing me to add the filters on msgtype. Normally I use `-e 1` > > > 7 -a always,exclude -F msgtype=CWD > > 8 > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > When I restart auditd I get: > > > > # /etc/init.d/auditd restart > > Restarting audit daemon: auditd Error sending add rule request > > (Operation not supported) > > There was an error in line 7 of /etc/audit/audit.rules > > failed! > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > popular in example all over the internet. I don't understand why I get the > > error. > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > What should I do to make this filter work? > > Support for msgtype on the exclude filter goes all the way back to 2005. So, > it should work unless the kernel was built without audit full support. It > might also be that if the audit system is disabled, it won't load rules. So, > I'd try that. The code is very old and behaviors have changed over the years > (both kernel and user space). Thanks for the input on that I will try to figure out how to determine if it was built with audit full support. Any tips on how to achieve that are welcome. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit