LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-14-2011, 01:09 PM   #1
pyroman59
Member
 
Registered: Jul 2005
Posts: 64

Rep: Reputation: 15
audit startup issue RHEL 5.3


Hi - I have an error on audit startup:
system# service auditd start
starting auditd: [FAILED]Error deleting rule (Operation not permitted)
There was an error in line 2 of /etc/audit/audit.rules

system# head -2 /etc/audit/audit.rules
##
-D
 
Old 07-16-2011, 04:56 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Does 'grep -v ^# /etc/audit/audit.rules|grep .|wc -l' nearly equal 'auditctl -l|wc -l'?
Does 'grep -- ^-e /etc/audit/audit.rules' show rule editing is deactivated?
Does 'auditctl -i -R /etc/audit/audit.rules' show rule loading works OK for the rest of the rule set?
And please post 'grep -v ^# /etc/audit/audit.rules|grep .;', preferably in BB code, instead.

Last edited by unSpawn; 07-16-2011 at 05:04 AM. Reason: //More *is* more.
 
Old 07-29-2011, 01:55 PM   #3
pyroman59
Member
 
Registered: Jul 2005
Posts: 64

Original Poster
Rep: Reputation: 15
audit startup problems

Hi unSpawn, thanks for responding -

Here you go:


Does 'grep -v ^# /etc/audit/audit.rules|grep .|wc -l' nearly equal 'auditctl -l|wc -l'?

64 vs 32

Does 'grep -- ^-e /etc/audit/audit.rules' show rule editing is deactivated?

-e 2

Does 'auditctl -i -R /etc/audit/audit.rules' show rule loading works OK for the rest of the rule set?

Error: nested rule files not supported

And please post 'grep -v ^# /etc/audit/audit.rules|grep .;', preferably in BB code, instead.

-D
-b 8192
-f 1
-f 2
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/selinux/ -p wa -k MAC-policy
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export)
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-w /etc/sudoers -p wa -k actions
-e 2




pyroman59
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RHEL 4 Audit listreq Linux - Server 1 08-03-2010 10:12 AM
RHEL 4 /etc/audit.rules matonb Red Hat 9 06-25-2010 01:07 PM
RHEL syslog vs audit log idlehands Linux - Security 1 06-24-2010 06:44 PM
Audit of Failed Date Change not Recorded in Audits: RHEL 5 mccartjd Linux - Security 1 01-09-2010 04:53 AM
Increase Audit Log size in RHEL 3.0? spelltoronto Linux - Newbie 4 05-17-2005 07:29 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration