Discussion:
Problem with syntax?
warron.french
2017-11-10 18:32:34 UTC
Permalink
Steve, can you help me with this please?
Somehow this slipped past our QA process, but I have an error popping up in
*/var/log/boot.log* indicating:

*28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M
* 29* Error sending add rule data request (Rule exists)
*30 *There was an error in line 65 of /etc/audit/audit.rules

Lines 28-30 are the only range of line numbers indicating a problem in the
boot.log.

I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
below (with line numbers included for navigation):
1 # This file managed by puppet module: osconfig_eita_mgmt
2 # DO NOT ALTER outside of the Puppet Framework.
3 #
4 #
5 # First rule - delete all
6 -D
7 # Increase the buffers to survive stress events.
8 # Make this bigger for busy systems
9 -b 8192
10 # PANIC on audit failure
11 -f 2
12 #
13 # ACTION (-a) Rules
14 # Filters out noisy cron related messages
15 -a never,user -F subj_type=crond_t
16 #
17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
time-change
18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
clock_settime -k audit_time_rules
19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k
perm_mod
21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0 -k
perm_mod
22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500
-F auid!=4294967295 -k perm_mod
23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k
perm_mod
25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid=0 -k perm_mod
26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=500 -F auid!=4294967295 -k perm_mod
27 -a always,exit -F arch=b32 -S clock_settime -k time-change
28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid=0 -k access
31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid=0 -k access
33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295
-k perm_mod
36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295
-k perm_mod
38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295
-k perm_mod
40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295
-k perm_mod
42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295
-k perm_mod
49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k
export
55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
renameat -F auid=0 -k delete
58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
renameat -F auid>=500 -F auid!=4294967295 -k delete
59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
audit_network_modifications
60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
system-locale
61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295
-k perm_mod
63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename -S
renameat -F auid>=500 -F auid!=4294967295 -k delete

I noticed that lines 58 and 65 seem to be "duplicates" although the syntax
has some elements swapped.

So, what I don't understand is why is line #58 OK, if line #65 is not? Are
lines of "duplicate syntax" not legal?


Thanks in advance,
--------------------------
Warron French
Steve Grubb
2017-11-13 20:12:15 UTC
Permalink
Post by warron.french
Steve, can you help me with this please?
Somehow this slipped past our QA process, but I have an error popping up in
*28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M
* 29* Error sending add rule data request (Rule exists)
*30 *There was an error in line 65 of /etc/audit/audit.rules
Lines 28-30 are the only range of line numbers indicating a problem in the
boot.log.
I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
1 # This file managed by puppet module: osconfig_eita_mgmt
2 # DO NOT ALTER outside of the Puppet Framework.
3 #
4 #
5 # First rule - delete all
6 -D
7 # Increase the buffers to survive stress events.
8 # Make this bigger for busy systems
9 -b 8192
10 # PANIC on audit failure
11 -f 2
12 #
13 # ACTION (-a) Rules
14 # Filters out noisy cron related messages
15 -a never,user -F subj_type=crond_t
16 #
17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
time-change
18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
clock_settime -k audit_time_rules
19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k
perm_mod
21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0 -k
perm_mod
22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500
-F auid!=4294967295 -k perm_mod
23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k
perm_mod
25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid=0 -k perm_mod
26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=500 -F auid!=4294967295 -k perm_mod
27 -a always,exit -F arch=b32 -S clock_settime -k time-change
28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid=0 -k access
31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid=0 -k access
33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295
-k perm_mod
36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295
-k perm_mod
38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295
-k perm_mod
40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295
-k perm_mod
42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295
-k perm_mod
49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k
export
55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
renameat -F auid=0 -k delete
58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S
renameat -F auid>=500 -F auid!=4294967295 -k delete
59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
audit_network_modifications
60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
system-locale
61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295
-k perm_mod
63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename -S
renameat -F auid>=500 -F auid!=4294967295 -k delete
I noticed that lines 58 and 65 seem to be "duplicates" although the syntax
has some elements swapped.
So, what I don't understand is why is line #58 OK, if line #65 is not?
Both have correct syntax.
Post by warron.french
Are lines of "duplicate syntax" not legal?
Nope. The kernel prevents multiple copies of the same rule. Even though the
syscalls are in a different order, fundamentally they are the same. The
syscalls get mapped into a bit mask and that is what is sent to the kernel.
So, the syscalls can be in complete reverse order but will result in the same
bit mask.

-Steve
warron.french
2017-11-14 01:12:44 UTC
Permalink
So, I wonder why I am having a problem on lone #65 then. Or does the error
actually mean after line 65?

Thanks,

--------------------------
Warron French
Post by warron.french
Post by warron.french
Steve, can you help me with this please?
Somehow this slipped past our QA process, but I have an error popping up
in
Post by warron.french
*28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M
* 29* Error sending add rule data request (Rule exists)
*30 *There was an error in line 65 of /etc/audit/audit.rules
Lines 28-30 are the only range of line numbers indicating a problem in
the
Post by warron.french
boot.log.
I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
1 # This file managed by puppet module: osconfig_eita_mgmt
2 # DO NOT ALTER outside of the Puppet Framework.
3 #
4 #
5 # First rule - delete all
6 -D
7 # Increase the buffers to survive stress events.
8 # Make this bigger for busy systems
9 -b 8192
10 # PANIC on audit failure
11 -f 2
12 #
13 # ACTION (-a) Rules
14 # Filters out noisy cron related messages
15 -a never,user -F subj_type=crond_t
16 #
17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
time-change
18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
clock_settime -k audit_time_rules
19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295
-k
Post by warron.french
perm_mod
21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0
-k
Post by warron.french
perm_mod
22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F
auid>=500
Post by warron.french
-F auid!=4294967295 -k perm_mod
23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295
-k
Post by warron.french
perm_mod
25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
-F
Post by warron.french
auid=0 -k perm_mod
26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
-F
Post by warron.french
auid>=500 -F auid!=4294967295 -k perm_mod
27 -a always,exit -F arch=b32 -S clock_settime -k time-change
28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
-F
Post by warron.french
auid!=4294967295 -k access
29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid=0 -k access
31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid=0 -k access
33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F
auid!=4294967295
Post by warron.french
-k perm_mod
36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295
-k perm_mod
38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F
auid!=4294967295
Post by warron.french
-k perm_mod
40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295
-k perm_mod
42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295
-k perm_mod
49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295
-k
Post by warron.french
export
55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
-S
Post by warron.french
renameat -F auid=0 -k delete
58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
-S
Post by warron.french
renameat -F auid>=500 -F auid!=4294967295 -k delete
59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
audit_network_modifications
60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
system-locale
61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F
auid!=4294967295
Post by warron.french
-k perm_mod
63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename
-S
Post by warron.french
renameat -F auid>=500 -F auid!=4294967295 -k delete
I noticed that lines 58 and 65 seem to be "duplicates" although the
syntax
Post by warron.french
has some elements swapped.
So, what I don't understand is why is line #58 OK, if line #65 is not?
Both have correct syntax.
Post by warron.french
Are lines of "duplicate syntax" not legal?
Nope. The kernel prevents multiple copies of the same rule. Even though the
syscalls are in a different order, fundamentally they are the same. The
syscalls get mapped into a bit mask and that is what is sent to the kernel.
So, the syscalls can be in complete reverse order but will result in the same
bit mask.
-Steve
Steve Grubb
2017-11-14 01:35:36 UTC
Permalink
Post by warron.french
So, I wonder why I am having a problem on lone #65 then.
Because it's a duplicate of 58.
Post by warron.french
Or does the error actually mean after line 65?
Nope. It means 65. Just delete one or the other and you should be fine.

-Steve
Post by warron.french
Post by warron.french
Post by warron.french
Steve, can you help me with this please?
Somehow this slipped past our QA process, but I have an error popping up
in
Post by warron.french
*28* Starting auditd: ^[[60G[^[[0;32m OK ^[[0;39m]^M
* 29* Error sending add rule data request (Rule exists)
*30 *There was an error in line 65 of /etc/audit/audit.rules
Lines 28-30 are the only range of line numbers indicating a problem in
the
Post by warron.french
boot.log.
I will post a copy of the /etc/audit/audit.rules (for my RHEL6 system)
1 # This file managed by puppet module: osconfig_eita_mgmt
2 # DO NOT ALTER outside of the Puppet Framework.
3 #
4 #
5 # First rule - delete all
6 -D
7 # Increase the buffers to survive stress events.
8 # Make this bigger for busy systems
9 -b 8192
10 # PANIC on audit failure
11 -f 2
12 #
13 # ACTION (-a) Rules
14 # Filters out noisy cron related messages
15 -a never,user -F subj_type=crond_t
16 #
17 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k
time-change
18 -a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -S
clock_settime -k audit_time_rules
19 -a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod
20 -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295
-k
Post by warron.french
perm_mod
21 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid=0
-k
Post by warron.french
perm_mod
22 -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F
auid>=500
Post by warron.french
-F auid!=4294967295 -k perm_mod
23 -a always,exit -F arch=b32 -S chown -F auid=0 -k perm_mod
24 -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295
-k
Post by warron.french
perm_mod
25 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
-F
Post by warron.french
auid=0 -k perm_mod
26 -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown
-F
Post by warron.french
auid>=500 -F auid!=4294967295 -k perm_mod
27 -a always,exit -F arch=b32 -S clock_settime -k time-change
28 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500
-F
Post by warron.french
auid!=4294967295 -k access
29 -a always,exit -F arch=b32 -S creat -S open -S openat -S
open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F
auid!=4294967295 -k access
30 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid=0 -k access
31 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
32 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid=0 -k access
33 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S
ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
34 -a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod
35 -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F
auid!=4294967295
Post by warron.french
-k perm_mod
36 -a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod
37 -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F
auid!=4294967295
-k perm_mod
38 -a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod
39 -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F
auid!=4294967295
Post by warron.french
-k perm_mod
40 -a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod
41 -a always,exit -F arch=b32 -S fchown -F auid>=500 -F
auid!=4294967295
-k perm_mod
42 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
43 -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
44 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
45 -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
46 -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
47 -a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod
48 -a always,exit -F arch=b32 -S lchown -F auid>=500 -F
auid!=4294967295
-k perm_mod
49 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
50 -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
51 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
52 -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
53 -a always,exit -F arch=b32 -S mount -F auid=0 -k export
54 -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295
-k
Post by warron.french
export
55 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
56 -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
57 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
-S
Post by warron.french
renameat -F auid=0 -k delete
58 -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename
-S
Post by warron.french
renameat -F auid>=500 -F auid!=4294967295 -k delete
59 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
audit_network_modifications
60 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k
system-locale
61 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
62 -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F
auid!=4294967295
Post by warron.french
-k perm_mod
63 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod
64 -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F
auid!=4294967295 -k perm_mod
65 -a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename
-S
Post by warron.french
renameat -F auid>=500 -F auid!=4294967295 -k delete
I noticed that lines 58 and 65 seem to be "duplicates" although the
syntax
Post by warron.french
has some elements swapped.
So, what I don't understand is why is line #58 OK, if line #65 is not?
Both have correct syntax.
Post by warron.french
Are lines of "duplicate syntax" not legal?
Nope. The kernel prevents multiple copies of the same rule. Even though the
syscalls are in a different order, fundamentally they are the same. The
syscalls get mapped into a bit mask and that is what is sent to the kernel.
So, the syscalls can be in complete reverse order but will result in the same
bit mask.
-Steve
Loading...