AE> Is there any reason why (...) auditctl -R don't print errors to stdout when rules parsing errors occur?

SG> If it's detected that the rules are in a file, they get sent to syslog because

> 99.99% of the time, this is system boot or initscripts and we need to make

> the problem discoverable later by the system admin.

I assume you meant "if it's detected that there are errors in the rules in a rules file".

IMHO the stream to which errors are output (syslog or stdout) should be configurable,

as it is *very* confusing to run auditctl -R manually and get no errors when there is an

error in rules parsing. It forces the user to always run "auditctl -R" and "auditctl -l" to check

if the rules are indeed active, which is not intuitive at all. Regarding the initscript use case,

I think it's also very common to use "auditctl -R" while creating new audit rules.

On Wed, Mar 10, 2021 at 4:06 PM Steve Grubb <sgrubb@redhat.com> wrote:

On Wednesday, March 10, 2021 5:53:42 AM EST Alan Evangelista wrote:
> OM> Not sure if this is it, but there is a "-" missing before the "S"
> before "renameat2".
>
> This was indeed the issue. I found our that was the issue when I ran
> "auditctl -l". Thank you.
>
> Is there any reason why augenrules

It has no idea about the rules, it simply compiles the master list.

> and auditctl -R don't print errors to stdout when rules parsing errors
> occur?

If it's detected that the rules are in a file, they get sent to syslog because
99.99% of the time, this is system boot or initscripts and we need to make
the problem discoverable later by the system admin.

-Steve