Re: operation not supported on filtering
$ zgrep -i audi /proc/config.gz
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_KVM_MMU_AUDIT is not set
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
> On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset
wrote:
> > I got a minimal audit.rules file containing:
> >
> > # cat -n /etc/audit/audit.rules
> > 1 -D
> > 2
> > 3 -b 8192
> > 4
> > 5 -e 0
>
> Why are you ^^^ disabling the audit system? You may want to try commenting
> that out.
I tired to add that to make sure it was not preventing me to add the
filters on msgtype. Normally I use `-e 1`
>
> > 7 -a always,exclude -F msgtype=CWD
> > 8
> > 9 -w /etc/sysctl.conf -p wa -k sysctl
> >
> > When I restart auditd I get:
> >
> > # /etc/init.d/auditd restart
> > Restarting audit daemon: auditd Error sending add rule request
> > (Operation not supported)
> > There was an error in line 7 of /etc/audit/audit.rules
> > failed!
> >
> > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > popular in example all over the internet. I don't understand why I get the
> > error.
> >
> > I use auditd `1:1.7.18-1.1` on debian 7
> >
> > What should I do to make this filter work?
>
> Support for msgtype on the exclude filter goes all the way back to 2005. So,
> it should work unless the kernel was built without audit full support. It
> might also be that if the audit system is disabled, it won't load rules. So,
> I'd try that. The code is very old and behaviors have changed over the years
> (both kernel and user space).
Thanks for the input on that I will try to figure out how to determine
if it was built with audit full support. Any tips on how to achieve
that are welcome.
here are the flags that I see in proc/config:
$ zgrep -i audi /proc/config.gz
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_KVM_MMU_AUDIT is not set
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
At this point I am unsure if it's all needed to claim it was built
with audit full support. Anything else I should check?
On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset <vfiset(a)gmail.com> wrote:
>
> On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset
wrote:
> > I got a minimal audit.rules file containing:
> >
> > # cat -n /etc/audit/audit.rules
> > 1 -D
> > 2
> > 3 -b 8192
> > 4
> > 5 -e 0
>
> Why are you ^^^ disabling the audit system? You may want to try commenting
> that out.
I tired to add that to make sure it was not preventing me to add the
filters on msgtype. Normally I use `-e 1`
>
> > 7 -a always,exclude -F msgtype=CWD
> > 8
> > 9 -w /etc/sysctl.conf -p wa -k sysctl
> >
> > When I restart auditd I get:
> >
> > # /etc/init.d/auditd restart
> > Restarting audit daemon: auditd Error sending add rule request
> > (Operation not supported)
> > There was an error in line 7 of /etc/audit/audit.rules
> > failed!
> >
> > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > popular in example all over the internet. I don't understand why I get the
> > error.
> >
> > I use auditd `1:1.7.18-1.1` on debian 7
> >
> > What should I do to make this filter work?
>
> Support for msgtype on the exclude filter goes all the way back to 2005. So,
> it should work unless the kernel was built without audit full support. It
> might also be that if the audit system is disabled, it won't load rules. So,
> I'd try that. The code is very old and behaviors have changed over the years
> (both kernel and user space).
Thanks for the input on that I will try to figure out how to determine
if it was built with audit full support. Any tips on how to achieve
that are welcome.
--
/VF