small patch for issue with rules that have been (incorrecly) copied from Windows

Sun, 12 Feb 2023 14:48:08 -0800 

Hello,

We have had at least a few instances where customers configured audit rules on 
Windows, and then incorrectly
moved the resulting '.rules' files to Linux.

These files still had the Windows  line terminator (CRLF). 'augenrules' read 
them without issues and generated the
/etc/audit/audit.rules file.

But on loading the new audit.rules, 'auditctl -R' will receive a bad return 
code, and stop loading the rules. The
resulting error is a bit on the cryptic side, and our customers do not seem to 
catch it easily.

The proposed fix is simple, and resolves the issue when using 'augenrules'. Of 
course, if someone generates
/etc/audit/audit.rules directly, it could still fail, but I understand that we 
are moving to using 'augenrules' by
default.

Patch (against current head) is below.

Cheers,

..Carlos..

>From 4ccae6353500d3870d4da8905ed01d18d36b066a Mon Sep 17 00:00:00 2001
From: C de-Avillez <cadea...@microsoft.com>
Date: Fri, 10 Feb 2023 17:16:09 -0600
Subject: [PATCH] augenrules: make sure no lines in *.rules ends in CRLF,
 otherwise 'auditctl -R' will then fail to fully load the rules.

---
 init.d/augenrules | 1 +
 1 file changed, 1 insertion(+)

diff --git a/init.d/augenrules b/init.d/augenrules
index edb2199..f74c6e2 100644
--- a/init.d/augenrules
+++ b/init.d/augenrules
@@ -84,6 +84,7 @@ BEGIN   {
         minus_b = "";
         rest = 0;
 } {
+        sub(/\r$/, "");
         if (length($0) < 1) { next; }
         if (match($0, "^\\s*#")) { next; }
         if (match($0, "^\\s*-e")) { minus_e = $0; next; }
-- 
2.34.1



 
  

  
Carlos
  de Avillez 

  

 
 
  

  
Senior
  Escalation Engineer

  Microsoft Azure Technical Support

  Customer Service and Support 

  

  

  
Office: +1 (469) 7753777 

  
cadea...@microsoft.com 

  
Working
  hours: 10:00-19:00
  US Central Time 

  
Next days off during August 2020:  3, 10, 17, 24, 31 

  

  


 
If you need to work with another Support Engineer outside of my
working hours, please send email to azur...@microsoft.com with
your case number, and availability. 
We are always interested to hear your feedback. Please feel free
to reach my manager regarding the level of service you have received -  
spo...@microsoft.com

Microsoft
Azure | Azure
Status | Support
Plans | Create
a Case | Privacy
Policy 
 


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Reply via email to