error in line 5 of /etc/audit/audit.rules RHEL5u3

abti · 04-06-2010, 01:51 PM

I'm receiving an error when trying to start/restart my auditd service. It was working until I made a few changes. I'm running RHEL5u3. Any suggestions? I've commented out line 5 and I still get the same error. I think it might be a bug, but don't really know for sure.

======
Starting auditd: [FAILED]
There was an error in line 5 of /etc/audit/audit.rules
=======

My /etc/audit/audit.rules
==========
# This is a sample rule set. The rules are executed from top
# to bottom. A '#' denotes comments. The rules are basically
# the auditctl commandline parameters.

# Remove existing rules
-D

# Enable auditing
-e 1

# Increase kernel buffer size
-b 8192

# Failure of auditd causes a kernel panic
-f 2

#
# Audit1: audit accesses to security relevant files
#

# watch passwd databases
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/group -p wa

# pam configuration
-w /etc/pam.d

# auditd configuration
#-w /etc/auditd.conf
#-w /etc/audit.rules

# watch utmp,wtmp
-w /var/run/utmp
-w /var/run/wtmp

# watch system log files
-w /var/log/messages
-w /var/log/audit/audit.log
-w /var/log/audit/audit[1-4].log

# watch audit subsystem's configuration files
-w /etc/auditd.conf -p wa
-w /etc/audit.rules -p wa

# SELinux configuration
-w /etc/selinux/config -p wa

# login records
-w /var/log/lastlog
-w /var/log/faillog

# login configuration
-w /etc/login.defs

# init configuration
-w /etc/rc.d/init.d
-w /etc/inittab -p wa

# sshd configuration
-w /etc/ssh/sshd_config

# audit creating new directories
-a exit,always -S mkdir -F auid!=0

# audit chmod,chown for non-root users
-a exit,always -S chmod -S fchmod -F auid!=0
-a exit,always -S chown -S fchown -S lchown -F auid!=0

# changes to security labels
-a exit,always -S setxattr -S lsetxattr -S fsetxattr
-a exit,always -S removexattr -S lremovexattr -S fremovexattr

unSpawn · 04-06-2010, 05:42 PM

Quote:

Originally Posted by abti

It was working until I made a few changes.

If this is a production system then I recommend using configuration file versioning. By using that or listing exact changes in the admin log or diffing against backups making changes makes sense. So. Do you have any backups to verify against?

Quote:

Originally Posted by abti

I've commented out line 5 and I still get the same error.

Depending on how Auditd reads its config that'll be line "-w /etc/passwd -p wa" or "#-w /etc/auditd.conf". If it is the latter then isn't auditd.conf supposed to reside in /etc/audit/? Else would using '-a exit,always -F path=/etc/audit/audit.conf -F perm=wa' work? Note you don't have to edit /etc/audit/audit.rules directly as you can test rules with 'auditctl'.