Re: Problem with syntax?

On Friday, November 10, 2017 1:32:34 PM EST warron.french wrote: > Steve, can you help me with this please? > Somehow this slipped past our QA process, but I have an error popping up in > */var/log/boot.log* indicating: > > *28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M > * 29* Error sending add rule data request (Rule exists) > *30 *There was an error in line 65 of /etc/audit/audit.rules > > Lines 28-30 are the only range of line numbers indicating a problem in the > boot.log. > > I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system) > below (with line numbers included for navigation): > 1 # This file managed by puppet module: osconfig_eita_mgmt > 2 # DO NOT ALTER outside of the Puppet Framework. > 3 # > 4 # > 5 # First rule - delete all > 6 -D > 7 # Increase the buffers to survive stress events. > 8 # Make this bigger for busy systems > 9 -b 8192 > 10 # PANIC on audit failure > 11 -f 2 > 12 # > 13 # ACTION (-a) Rules > 14 # Filters out noisy cron related messages > 15 -a never,user -F subj_type=crond_t > 16 # > 17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k > time-change > 18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S > clock_settime -k audit_time_rules > 19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod > 20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k > perm_mod > 21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0 -k > perm_mod > 22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 > -F auid!=4294967295 -k perm_mod > 23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod > 24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k > perm_mod > 25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F > auid=0 -k perm_mod > 26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F > auid>=500 -F auid!=4294967295 -k perm_mod > 27 -a always,exit -F arch=b32 -S clock_settime -k time-change > 28 -a always,exit -F arch=b32 -S creat -S open -S openat -S > open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F > auid!=4294967295 -k access > 29 -a always,exit -F arch=b32 -S creat -S open -S openat -S > open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F > auid!=4294967295 -k access > 30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S > ftruncate -F exit=-EACCES -F auid=0 -k access > 31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S > ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access > 32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S > ftruncate -F exit=-EPERM -F auid=0 -k access > 33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S > ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access > 34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod > 35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 > -k perm_mod > 36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod > 37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 > -k perm_mod > 38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod > 39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 > -k perm_mod > 40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod > 41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 > -k perm_mod > 42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod > 43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F > auid!=4294967295 -k perm_mod > 44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod > 45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F > auid!=4294967295 -k perm_mod > 46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules > 47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod > 48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 > -k perm_mod > 49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod > 50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F > auid!=4294967295 -k perm_mod > 51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod > 52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F > auid!=4294967295 -k perm_mod > 53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export > 54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k > export > 55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod > 56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F > auid!=4294967295 -k perm_mod > 57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S > renameat -F auid=0 -k delete > 58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S > renameat -F auid>=500 -F auid!=4294967295 -k delete > 59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k > audit_network_modifications > 60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k > system-locale > 61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod > 62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 > -k perm_mod > 63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S > removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod > 64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S > removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F > auid!=4294967295 -k perm_mod > 65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename -S > renameat -F auid>=500 -F auid!=4294967295 -k delete > > I noticed that lines 58 and 65 seem to be "duplicates" although the syntax > has some elements swapped. > > So, what I don't understand is why is line #58 OK, if line #65 is not? Both have correct syntax. > Are lines of "duplicate syntax" not legal? Nope. The kernel prevents multiple copies of the same rule. Even though the syscalls are in a different order, fundamentally they are the same. The syscalls get mapped into a bit mask and that is what is sent to the kernel. So, the syscalls can be in complete reverse order but will result in the same bit mask. -Steve