Re: operation not supported on filtering

2018-12-04 Thread Vincent Fiset
> So...your kernel is not supporting this. You'd need to dig through the kernel source to find this. I don't think I can help much past this point as I'm not familiar with the Debian kernels. Thanks for the confirmation you helped me a lot On Tue, Dec 4, 2018 at 11:09 AM Steve Grubb wrote: > >

Re: operation not supported on filtering

2018-12-04 Thread Steve Grubb
On Tuesday, December 4, 2018 10:15:47 AM EST Vincent Fiset wrote: > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 > > Unfortunately I already tried that before, strace was not revealing > anything obvious (for me at least) There's info in there. > sendto(4, >

Re: operation not supported on filtering

2018-12-04 Thread Vincent Fiset
> > here are the flags that I see in proc/config: > > > > $ zgrep -i audi /proc/config.gz > > CONFIG_AUDIT_ARCH=y > > CONFIG_AUDIT=y > > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > > CONFIG_AUDITSYSCALL=y > > CONFIG_AUDIT_WATCH=y > > CONFIG_AUDIT_TREE=y > > CONFIG_NETFILTER_XT_TARGET_AUDIT=m > >

Re: operation not supported on filtering

2018-12-04 Thread Steve Grubb
On Tuesday, December 4, 2018 9:26:29 AM EST Vincent Fiset wrote: > here are the flags that I see in proc/config: > > $ zgrep -i audi /proc/config.gz > CONFIG_AUDIT_ARCH=y > CONFIG_AUDIT=y > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > CONFIG_AUDITSYSCALL=y > CONFIG_AUDIT_WATCH=y > CONFIG_AUDIT_TREE=y >

Re: operation not supported on filtering

2018-12-04 Thread Vincent Fiset
$ zgrep -i audi /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 # CONFIG_KVM_MMU_AUDIT is not set #

Re: operation not supported on filtering

2018-12-03 Thread Vincent Fiset
> On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > I got a minimal audit.rules file containing: > > > > # cat -n /etc/audit/audit.rules > > 1 -D > > 2 > > 3 -b 8192 > > 4 > > 5 -e 0 > > Why are you ^^^ disabling the audit system? You may want to try

Re: operation not supported on filtering

2018-12-03 Thread Steve Grubb
On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > I got a minimal audit.rules file containing: > > # cat -n /etc/audit/audit.rules > 1 -D > 2 > 3 -b 8192 > 4 > 5 -e 0 Why are you ^^^ disabling the audit system? You may want to try commenting that out.