augenrules --load
When building a new RHEL v7.8 VM manually, I set up the rules desired in
/etc/audit/rulesd/audit.rules, no other changes (because I've wanted to narrow down
the issue). After subsequent reboots, with no further changes to any audit rules either; I
monitor /var/log/messages and I see occurrences like this:
Sep 22 09:04:24 hostxyz augenrules: /sbin/augenrules: No change
Sep 22 09:04:24 hostxyz augenrules: No rulesSep 22 09:04:24 hostxyz augenrules: enabled
1Sep 22 09:04:24 hostxyz augenrules: failure 1Sep 22 09:04:24 hostxyz augenrules: pid
1242Sep 22 09:04:24 hostxyz augenrules: rate_limit 0Sep 22 09:04:24 hostxyz augenrules:
backlog_limit 16384Sep 22 09:04:24 hostxyz augenrules: lost 56Sep 22 09:04:24 hostxyz
augenrules: backlog 1Sep 22 09:04:24 hostxyz augenrules: enabled 1Sep 22 09:04:24 hostxyz
augenrules: failure 2Sep 22 09:04:24 hostxyz augenrules: pid 1242Sep 22 09:04:24 hostxyz
augenrules: rate_limit 0Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384Sep 22
09:04:24 hostxyz augenrules: lost 56Sep 22 09:04:24 hostxyz augenrules: backlog 0Sep 22
09:04:24 hostxyz augenrules: usage: auditctl [options]Sep 22 09:04:24 hostxyz augenrules:
-a <l,a> Append rule to end of <l>ist with <a>ctionSep 22
09:04:24 hostxyz augenrules: -A <l,a> Add rule at beginning of
<l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules: -b
<backlog> Set max number of outstanding audit buffersSep 22 09:04:24 hostxyz
augenrules: allowed Default=64Sep 22 09:04:24 hostxyz augenrules: -c
Continue through errors in rulesSep 22 09:04:24 hostxyz augenrules: -C f=f
Compare collected fields if available:Sep 22 09:04:24 hostxyz augenrules: Field name,
operator(=,!=), field nameSep 22 09:04:24 hostxyz augenrules: -d <l,a>
Delete rule from <l>ist with <a>ctionSep 22 09:04:24 hostxyz augenrules:
l=task,exit,user,excludeSep 22 09:04:24 hostxyz augenrules: a=never,alwaysSep 22 09:04:24
hostxyz augenrules: -D Delete all rules and watchesSep 22 09:04:24
hostxyz augenrules: -e [0..2] Set enabled flagSep 22 09:04:24 hostxyz
augenrules: -f [0..2] Set failure flagSep 22 09:04:24 hostxyz augenrules:
0=silent 1=printk 2=panicSep 22 09:04:24 hostxyz augenrules: -F f=v Build
rule: field name, operator(=,!=,<,>,<=,Sep 22 09:04:24 hostxyz augenrules:
>=,&,&=) valueSep 22 09:04:24 hostxyz augenrules: -h HelpSep
22 09:04:24 hostxyz augenrules: -i Ignore errors when reading rules from
fileSep 22 09:04:24 hostxyz augenrules: -k <key> Set filter key on audit
ruleSep 22 09:04:24 hostxyz augenrules: -l List rulesSep 22 09:04:24
hostxyz augenrules: -m text Send a user-space messageSep 22 09:04:24 hostxyz
augenrules: -p [r|w|x|a] Set permissions filter on watchSep 22 09:04:24 hostxyz
augenrules: r=read, w=write, x=execute, a=attributeSep 22 09:04:24 hostxyz augenrules: -q
<mount,subtree> make subtree part of mount point's dir watchesSep 22 09:04:24
hostxyz augenrules: -r <rate> Set limit in messages/sec (0=none)Sep 22
09:04:24 hostxyz augenrules: -R <file> read rules from fileSep 22 09:04:24
hostxyz augenrules: -s Report statusSep 22 09:04:24 hostxyz augenrules:
-S syscall Build rule: syscall name or numberSep 22 09:04:24 hostxyz augenrules:
-t Trim directory watchesSep 22 09:04:24 hostxyz augenrules:
-v VersionSep 22 09:04:24 hostxyz augenrules: -w <path>
Insert watch at <path>Sep 22 09:04:24 hostxyz augenrules: -W <path>
Remove watch at <path>Sep 22 09:04:24 hostxyz augenrules: --loginuid-immutable Make
loginuids unchangeable once setSep 22 09:04:24 hostxyz augenrules: --reset-lost
Reset the lost record counterSep 22 09:04:24 hostxyz systemd: Started Security Auditing
Service.
The 'usage' of auditctl is invoked the one time in the 'try_load' function
of augenrules. Manual executions of "/sbin/auditctl -R /etc/audit/audit.rules',
results in essentially the same behavior on the terminal as found in /var/log/messages.
Should execution of augenrules seemingly error-out on invocation of auditctl like this?
Thank you.
R,-Joe Wulf
Attachments:
- attachment.html (text/html — 8.7 KB)