Re: small patch for issue with rules that have been (incorrecly) copied from Windows

Hello again, Just checking is there is interest in the below. Cheers, Carlos de Avillez Senior Escalation Engineer Microsoft Azure Technical Support Customer Service and Support Office: +1 (469) 7753777 cadeavil@microsoft.com<mailto:cadeavil@microsoft.com> Working hours: 10:00-19:00 US Central Time Next days off during August 2020: 3, 10, 17, 24, 31 If you need to work with another Support Engineer outside of my working hours, please send email to azurebu@microsoft.com<mailto:azurebu@microsoft.com> with your case number, and availability. We are always interested to hear your feedback. Please feel free to reach my manager regarding the level of service you have received - spogge@microsoft.com<mailto:spogge@microsoft.com> [X] Microsoft Azure<https://azure.microsoft.com/en-us/> | Azure Status<https://status.azure.com/en-us/status> | Support Plans<https://azure.microsoft.com/en-us/support/plans/> | Create a Case<https://azure.microsoft.com/en-us/support/create-ticket/> | Privacy Policy<https://privacy.microsoft.com/en-us/PrivacyStatement> ________________________________ From: Linux-audit <linux-audit-bounces(a)redhat.com&gt; on behalf of Carlos De Avillez <Carlos.DeAvillez(a)microsoft.com&gt; Sent: Friday, February 10, 2023 17:37 To: linux-audit(a)redhat.com <linux-audit(a)redhat.com&gt; Subject: [EXTERNAL] small patch for issue with rules that have been (incorrecly) copied from Windows Hello, We have had at least a few instances where customers configured audit rules on Windows, and then incorrectly moved the resulting '.rules' files to Linux. These files still had the Windows line terminator (CRLF). 'augenrules' read them without issues and generated the /etc/audit/audit.rules file. But on loading the new audit.rules, 'auditctl -R' will receive a bad return code, and stop loading the rules. The resulting error is a bit on the cryptic side, and our customers do not seem to catch it easily. The proposed fix is simple, and resolves the issue when using 'augenrules'. Of course, if someone generates /etc/audit/audit.rules directly, it could still fail, but I understand that we are moving to using 'augenrules' by default. Patch (against current head) is below. Cheers, ..Carlos.. From: C de-Avillez <cadeavil(a)microsoft.com&gt; Date: Fri, 10 Feb 2023 17:16:09 -0600 Subject: [PATCH] augenrules: make sure no lines in *.rules ends in CRLF, otherwise 'auditctl -R' will then fail to fully load the rules. --- init.d/augenrules | 1 + 1 file changed, 1 insertion(+) diff --git a/init.d/augenrules b/init.d/augenrules index edb2199..f74c6e2 100644 --- a/init.d/augenrules +++ b/init.d/augenrules @@ -84,6 +84,7 @@ BEGIN { minus_b = ""; rest = 0; } { + sub(/\r$/, ""); if (length($0) < 1) { next; } if (match($0, "^\\s*#")) { next; } if (match($0, "^\\s*-e")) { minus_e = $0; next; } -- 2.34.1 Carlos de Avillez Senior Escalation Engineer Microsoft Azure Technical Support Customer Service and Support Office: +1 (469) 7753777 cadeavil(a)microsoft.com Working hours: 10:00-19:00 US Central Time Next days off during August 2020: 3, 10, 17, 24, 31 If you need to work with another Support Engineer outside of my working hours, please send email to azurebu(a)microsoft.com with your case number, and availability. We are always interested to hear your feedback. Please feel free to reach my manager regarding the level of service you have received - spogge(a)microsoft.com Microsoft Azure | Azure Status | Support Plans | Create a Case | Privacy Policy -- Linux-audit mailing list Linux-audit(a)redhat.com https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flistman...