Hello again, Just checking is there is interest in the below.
Cheers, Carlos de Avillez Senior Escalation Engineer Microsoft Azure Technical Support Customer Service and Support Office: +1 (469) 7753777 [email protected]<mailto:[email protected]> Working hours: 10:00-19:00 US Central Time Next days off during August 2020: 3, 10, 17, 24, 31 If you need to work with another Support Engineer outside of my working hours, please send email to [email protected]<mailto:[email protected]> with your case number, and availability. We are always interested to hear your feedback. Please feel free to reach my manager regarding the level of service you have received - [email protected]<mailto:[email protected]> [X] Microsoft Azure<https://azure.microsoft.com/en-us/> | Azure Status<https://status.azure.com/en-us/status> | Support Plans<https://azure.microsoft.com/en-us/support/plans/> | Create a Case<https://azure.microsoft.com/en-us/support/create-ticket/> | Privacy Policy<https://privacy.microsoft.com/en-us/PrivacyStatement> ________________________________ From: Linux-audit <[email protected]> on behalf of Carlos De Avillez <[email protected]> Sent: Friday, February 10, 2023 17:37 To: [email protected] <[email protected]> Subject: [EXTERNAL] small patch for issue with rules that have been (incorrecly) copied from Windows Hello, We have had at least a few instances where customers configured audit rules on Windows, and then incorrectly moved the resulting '.rules' files to Linux. These files still had the Windows line terminator (CRLF). 'augenrules' read them without issues and generated the /etc/audit/audit.rules file. But on loading the new audit.rules, 'auditctl -R' will receive a bad return code, and stop loading the rules. The resulting error is a bit on the cryptic side, and our customers do not seem to catch it easily. The proposed fix is simple, and resolves the issue when using 'augenrules'. Of course, if someone generates /etc/audit/audit.rules directly, it could still fail, but I understand that we are moving to using 'augenrules' by default. Patch (against current head) is below. Cheers, ..Carlos.. >From 4ccae6353500d3870d4da8905ed01d18d36b066a Mon Sep 17 00:00:00 2001 From: C de-Avillez <[email protected]> Date: Fri, 10 Feb 2023 17:16:09 -0600 Subject: [PATCH] augenrules: make sure no lines in *.rules ends in CRLF, otherwise 'auditctl -R' will then fail to fully load the rules. --- init.d/augenrules | 1 + 1 file changed, 1 insertion(+) diff --git a/init.d/augenrules b/init.d/augenrules index edb2199..f74c6e2 100644 --- a/init.d/augenrules +++ b/init.d/augenrules @@ -84,6 +84,7 @@ BEGIN { minus_b = ""; rest = 0; } { + sub(/\r$/, ""); if (length($0) < 1) { next; } if (match($0, "^\\s*#")) { next; } if (match($0, "^\\s*-e")) { minus_e = $0; next; } -- 2.34.1 Carlos de Avillez Senior Escalation Engineer Microsoft Azure Technical Support Customer Service and Support Office: +1 (469) 7753777 [email protected] Working hours: 10:00-19:00 US Central Time Next days off during August 2020: 3, 10, 17, 24, 31 If you need to work with another Support Engineer outside of my working hours, please send email to [email protected] with your case number, and availability. We are always interested to hear your feedback. Please feel free to reach my manager regarding the level of service you have received - [email protected] Microsoft Azure | Azure Status | Support Plans | Create a Case | Privacy Policy -- Linux-audit mailing list [email protected] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flistman.redhat.com%2Fmailman%2Flistinfo%2Flinux-audit&data=05%7C01%7Ccarlos.deavillez%40microsoft.com%7C0d78e8a8334d4fcc044e08db0d4b362c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638118388923975931%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cKyVRKjwU5Rxd0xocsYa03Mjz39VYtmyWqsAjsgUipQ%3D&reserved=0<https://listman.redhat.com/mailman/listinfo/linux-audit>
-- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
