Re: operation not supported on filtering
> So...your kernel is not supporting this. You'd need to dig through the kernel source to find this. I don't think I can help much past this point as I'm not familiar with the Debian kernels. Thanks for the confirmation you helped me a lot On Tue, Dec 4, 2018 at 11:09 AM Steve Grubb wrote: > > On Tuesday, December 4, 2018 10:15:47 AM EST Vincent Fiset wrote: > > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 > > > > Unfortunately I already tried that before, strace was not revealing > > anything obvious (for me at least) > > There's info in there. > > > sendto(4, > > "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\1\0\0\0\377\377\377\3 > > 77"..., 796, 0, {sa_family=AF_NETLINK, pid=0, groups=}, 12) = 796 > > poll([{fd=4, events=POLLIN}], 1, 500) = 1 ([{fd=4, revents=POLLIN}]) > > recvfrom(4, > > "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0 > > \0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, > > groups=}, [12]) = 816 > > recvfrom(4, > > "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0 > > \0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=}, > > This ^^^ is the part to interpret: > > 0\3\0\0\ - length > 2\0 - msg type NLMSG_ERROR > \0\0 - flags > \2\0\0\0 - seq number > \355h\0\0\0 - pid > \241\377\377\377 - errno EOPNOTSUPP > > So...your kernel is not supporting this. You'd need to dig through the kernel > source to find this. I don't think I can help much past this point as I'm not > familiar with the Debian kernels. > > -Steve > > -- /VF -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: operation not supported on filtering
On Tuesday, December 4, 2018 10:15:47 AM EST Vincent Fiset wrote: > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 > > Unfortunately I already tried that before, strace was not revealing > anything obvious (for me at least) There's info in there. > sendto(4, > "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\1\0\0\0\377\377\377\3 > 77"..., 796, 0, {sa_family=AF_NETLINK, pid=0, groups=}, 12) = 796 > poll([{fd=4, events=POLLIN}], 1, 500) = 1 ([{fd=4, revents=POLLIN}]) > recvfrom(4, > "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0 > \0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, > groups=}, [12]) = 816 > recvfrom(4, > "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0 > \0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=}, This ^^^ is the part to interpret: 0\3\0\0\ - length 2\0 - msg type NLMSG_ERROR \0\0 - flags \2\0\0\0 - seq number \355h\0\0\0 - pid \241\377\377\377 - errno EOPNOTSUPP So...your kernel is not supporting this. You'd need to dig through the kernel source to find this. I don't think I can help much past this point as I'm not familiar with the Debian kernels. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: operation not supported on filtering
> > here are the flags that I see in proc/config: > > > > $ zgrep -i audi /proc/config.gz > > CONFIG_AUDIT_ARCH=y > > CONFIG_AUDIT=y > > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > > CONFIG_AUDITSYSCALL=y > > CONFIG_AUDIT_WATCH=y > > CONFIG_AUDIT_TREE=y > > CONFIG_NETFILTER_XT_TARGET_AUDIT=m > > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 > > # CONFIG_KVM_MMU_AUDIT is not set > > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > > > At this point I am unsure if it's all needed to claim it was built > > with audit full support. Anything else I should check? > > Offhand that looks like all the settings. If you modify line 5 to enable the > audit system and then comment out the rule at line 7, does it work when you > restart? > > If that works, then you might want to strace loading that rule by command > line. > > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 Unfortunately I already tried that before, strace was not revealing anything obvious (for me at least) here is the output if ever you see something: $ cat -n /etc/audit/audit.rules 1 -D 2 3 -b 8192 4 5 #-e 1 6 7 #-a exclude,never -F msgtype=CWD 8 9 -w /etc/sysctl.conf -p wa -k sysctl $ /etc/init.d/auditd restart Restarting audit daemon: auditd. $ auditctl -l LIST_RULES: exit,always watch=/etc/sysctl.conf perm=wa key=sysctl $ strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 $ cat log execve("/sbin/auditctl", ["/sbin/auditctl", "-a", "always,exclude", "-F", "msgtype=CWD"], [/* 19 vars */]) = 0 brk(0) = 0x226b000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9339141000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=18800, ...}) = 0 mmap(NULL, 18800, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f933913c000 close(3)= 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\\\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=131107, ...}) = 0 mmap(NULL, 2208672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9338d08000 mprotect(0x7f9338d1f000, 2093056, PROT_NONE) = 0 mmap(0x7f9338f1e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f9338f1e000 mmap(0x7f9338f2, 13216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9338f2 close(3)= 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\357\1\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1607696, ...}) = 0 mmap(NULL, 3721272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f933897b000 mprotect(0x7f9338aff000, 2093056, PROT_NONE) = 0 mmap(0x7f9338cfe000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x183000) = 0x7f9338cfe000 mmap(0x7f9338d03000, 18488, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9338d03000 close(3)= 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f933913b000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f933913a000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9339139000 arch_prctl(ARCH_SET_FS, 0x7f933913a700) = 0 mprotect(0x7f9338cfe000, 16384, PROT_READ) = 0 mprotect(0x7f9338f1e000, 4096, PROT_READ) = 0 mprotect(0x7f9339143000, 4096, PROT_READ) = 0 munmap(0x7f933913c000, 18800) = 0 set_tid_address(0x7f933913a9d0) = 26861 set_robust_list(0x7f933913a9e0, 0x18) = 0 futex(0x7ffe952c57fc, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f933913a700) = -1 EAGAIN (Resource temporarily unavailable) rt_sigaction(SIGRTMIN, {0x7f9338d0dad0, [], SA_RESTORER|SA_SIGINFO, 0x7f9338d170a0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x7f9338d0db60, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f9338d170a0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=8192*1024}) = 0 getuid()= 0 socket(PF_NETLINK, SOCK_RAW, 9) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 brk(0) = 0x226b000 brk(0x228c000) = 0x228c000 socket(PF_NETLINK, SOCK_RAW, 9) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 sendto(4, "\20\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0", 16, 0, {sa_family=AF_NETLINK, pid=0, groups=}, 12) = 16 poll([{fd=4, events=POLLIN}], 1, 500) =
Re: operation not supported on filtering
On Tuesday, December 4, 2018 9:26:29 AM EST Vincent Fiset wrote: > here are the flags that I see in proc/config: > > $ zgrep -i audi /proc/config.gz > CONFIG_AUDIT_ARCH=y > CONFIG_AUDIT=y > CONFIG_HAVE_ARCH_AUDITSYSCALL=y > CONFIG_AUDITSYSCALL=y > CONFIG_AUDIT_WATCH=y > CONFIG_AUDIT_TREE=y > CONFIG_NETFILTER_XT_TARGET_AUDIT=m > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 > # CONFIG_KVM_MMU_AUDIT is not set > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > At this point I am unsure if it's all needed to claim it was built > with audit full support. Anything else I should check? Offhand that looks like all the settings. If you modify line 5 to enable the audit system and then comment out the rule at line 7, does it work when you restart? If that works, then you might want to strace loading that rule by command line. strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1 -Steve > On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset wrote: > > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > > > I got a minimal audit.rules file containing: > > > > # cat -n /etc/audit/audit.rules > > > > 1 -D > > > > 2 > > > > 3 -b 8192 > > > > 4 > > > > 5 -e 0 > > > > > > Why are you ^^^ disabling the audit system? You may want to try > > > commenting > > > that out. > > > > I tired to add that to make sure it was not preventing me to add the > > filters on msgtype. Normally I use `-e 1` > > > > > > 7 -a always,exclude -F msgtype=CWD > > > > 8 > > > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > > > > > When I restart auditd I get: > > > > # /etc/init.d/auditd restart > > > > Restarting audit daemon: auditd Error sending add rule request > > > > > > > > (Operation not supported) > > > > > > > > There was an error in line 7 of /etc/audit/audit.rules > > > > > > > > failed! > > > > > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > > > popular in example all over the internet. I don't understand why I > > > > get the > > > > error. > > > > > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > > > > > What should I do to make this filter work? > > > > > > Support for msgtype on the exclude filter goes all the way back to > > > 2005. So, it should work unless the kernel was built without audit > > > full support. It might also be that if the audit system is disabled, > > > it won't load rules. So, I'd try that. The code is very old and > > > behaviors have changed over the years (both kernel and user space). > > > > Thanks for the input on that I will try to figure out how to determine > > if it was built with audit full support. Any tips on how to achieve > > that are welcome. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: operation not supported on filtering
$ zgrep -i audi /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 # CONFIG_KVM_MMU_AUDIT is not set # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > > I got a minimal audit.rules file containing: > > > > > > # cat -n /etc/audit/audit.rules > > > 1 -D > > > 2 > > > 3 -b 8192 > > > 4 > > > 5 -e 0 > > > > Why are you ^^^ disabling the audit system? You may want to try commenting > > that out. > > I tired to add that to make sure it was not preventing me to add the > filters on msgtype. Normally I use `-e 1` > > > > > > 7 -a always,exclude -F msgtype=CWD > > > 8 > > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > > > When I restart auditd I get: > > > > > > # /etc/init.d/auditd restart > > > Restarting audit daemon: auditd Error sending add rule request > > > (Operation not supported) > > > There was an error in line 7 of /etc/audit/audit.rules > > > failed! > > > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > > popular in example all over the internet. I don't understand why I get the > > > error. > > > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > > > What should I do to make this filter work? > > > > Support for msgtype on the exclude filter goes all the way back to 2005. So, > > it should work unless the kernel was built without audit full support. It > > might also be that if the audit system is disabled, it won't load rules. So, > > I'd try that. The code is very old and behaviors have changed over the years > > (both kernel and user space). > > Thanks for the input on that I will try to figure out how to determine > if it was built with audit full support. Any tips on how to achieve > that are welcome. here are the flags that I see in proc/config: $ zgrep -i audi /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 # CONFIG_KVM_MMU_AUDIT is not set # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set At this point I am unsure if it's all needed to claim it was built with audit full support. Anything else I should check? On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset wrote: > > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > > I got a minimal audit.rules file containing: > > > > > > # cat -n /etc/audit/audit.rules > > > 1 -D > > > 2 > > > 3 -b 8192 > > > 4 > > > 5 -e 0 > > > > Why are you ^^^ disabling the audit system? You may want to try commenting > > that out. > > I tired to add that to make sure it was not preventing me to add the > filters on msgtype. Normally I use `-e 1` > > > > > > 7 -a always,exclude -F msgtype=CWD > > > 8 > > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > > > When I restart auditd I get: > > > > > > # /etc/init.d/auditd restart > > > Restarting audit daemon: auditd Error sending add rule request > > > (Operation not supported) > > > There was an error in line 7 of /etc/audit/audit.rules > > > failed! > > > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > > popular in example all over the internet. I don't understand why I get the > > > error. > > > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > > > What should I do to make this filter work? > > > > Support for msgtype on the exclude filter goes all the way back to 2005. So, > > it should work unless the kernel was built without audit full support. It > > might also be that if the audit system is disabled, it won't load rules. So, > > I'd try that. The code is very old and behaviors have changed over the years > > (both kernel and user space). > > Thanks for the input on that I will try to figure out how to determine > if it was built with audit full support. Any tips on how to achieve > that are welcome. -- /VF -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: operation not supported on filtering
> On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > > I got a minimal audit.rules file containing: > > > > # cat -n /etc/audit/audit.rules > > 1 -D > > 2 > > 3 -b 8192 > > 4 > > 5 -e 0 > > Why are you ^^^ disabling the audit system? You may want to try commenting > that out. I tired to add that to make sure it was not preventing me to add the filters on msgtype. Normally I use `-e 1` > > > 7 -a always,exclude -F msgtype=CWD > > 8 > > 9 -w /etc/sysctl.conf -p wa -k sysctl > > > > When I restart auditd I get: > > > > # /etc/init.d/auditd restart > > Restarting audit daemon: auditd Error sending add rule request > > (Operation not supported) > > There was an error in line 7 of /etc/audit/audit.rules > > failed! > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > > popular in example all over the internet. I don't understand why I get the > > error. > > > > I use auditd `1:1.7.18-1.1` on debian 7 > > > > What should I do to make this filter work? > > Support for msgtype on the exclude filter goes all the way back to 2005. So, > it should work unless the kernel was built without audit full support. It > might also be that if the audit system is disabled, it won't load rules. So, > I'd try that. The code is very old and behaviors have changed over the years > (both kernel and user space). Thanks for the input on that I will try to figure out how to determine if it was built with audit full support. Any tips on how to achieve that are welcome. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: operation not supported on filtering
On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote: > I got a minimal audit.rules file containing: > > # cat -n /etc/audit/audit.rules > 1 -D > 2 > 3 -b 8192 > 4 > 5 -e 0 Why are you ^^^ disabling the audit system? You may want to try commenting that out. > 7 -a always,exclude -F msgtype=CWD > 8 > 9 -w /etc/sysctl.conf -p wa -k sysctl > > When I restart auditd I get: > > # /etc/init.d/auditd restart > Restarting audit daemon: auditd Error sending add rule request > (Operation not supported) > There was an error in line 7 of /etc/audit/audit.rules > failed! > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very > popular in example all over the internet. I don't understand why I get the > error. > > I use auditd `1:1.7.18-1.1` on debian 7 > > What should I do to make this filter work? Support for msgtype on the exclude filter goes all the way back to 2005. So, it should work unless the kernel was built without audit full support. It might also be that if the audit system is disabled, it won't load rules. So, I'd try that. The code is very old and behaviors have changed over the years (both kernel and user space). -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit