Skip to content

duplicate audit rules #74

New issue
New issue
Open
Open
duplicate audit rules#74
@jgbradley1

Description

@jgbradley1
jgbradley1
opened on Mar 22, 2022

Problem

There are duplicate rules defined in the audit rules file. This causes issues when trying to reload the rules (using augenrules --load) or adding new rules.

After deploying Azure STIG Template on a ubuntu image, I get the following error message

root@my-vm:/etc/audit# augenrules --load
/sbin/augenrules: No change
No rules
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 6
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 1
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0
Error sending add rule data request (Rule exists)
There was an error in line 123 of /etc/audit/audit.rules

Here is the full contents of /etc/audit/audit.rules with line numbers

1 ## This file is automatically generated from /etc/audit/rules.d
2 -D
3 -b 8192
4 -f 1
5 --backlog_wait_time 0
6 -w /var/log/tallylog -p wa -k logins
7 -w /var/log/faillog -p wa -k logins
8 -w /var/log/lastlog -p wa -k logins
9 -w /var/log/sudo.log -p wa -k priv_actions
10 -w /var/log/wtmp -p wa -k logins
11 -w /var/run/utmp -p wa -k logins
12 -w /var/log/btmp -p wa -k logins
13 -w /etc/passwd -p wa -k usergroup_modification
14 -w /etc/group -p wa -k usergroup_modification
15 -w /etc/gshadow -p wa -k usergroup_modification
16 -w /etc/shadow -p wa -k usergroup_modification
17 -w /etc/security/opasswd -p wa -k usergroup_modification
18 -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change
19 -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn
20 -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount
21 -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount
22 -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
23 -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
24 -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
25 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
26 -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
27 -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
28 -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
29 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
30 -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
31 -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
32 -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
33 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
34 -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
35 -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
36 -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
37 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
38 -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
39 -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
40 -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
41 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
42 -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
43 -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
44 -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
45 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
46 -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
47 -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
48 -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng
49 -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng
50 -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=-1 -k perm_chng
51 -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=-1 -k perm_chng
52 -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_chng
53 -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_chng
54 -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng
55 -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng
56 -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng
57 -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng
58 -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng
59 -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng
60 -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
61 -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
62 -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
63 -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
64 -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
65 -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
66 -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
67 -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
68 -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
69 -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
70 -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
71 -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
72 -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
73 -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
74 -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
75 -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
76 -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
77 -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
78 -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
79 -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
80 -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
81 -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
82 -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd
83 -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update
84 -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd
85 -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage
86 -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod
87 -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab
88 -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check
89 -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
90 -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
91 -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
92 -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
93 -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
94 -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
95 -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_chng
96 -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_chng
97 -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_chng
98 -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_chng
99 -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_chng
100 -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_chng
101 -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=-1 -k delete
102 -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=-1 -k delete
103 -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete
104 -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete
105 -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=-1 -k delete
106 -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=-1 -k delete
107 -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=-1 -k delete
108 -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=-1 -k delete
109 -a always,exit -F arch=b32 -S init_module -S finit_module -k modules
110 -a always,exit -F arch=b64 -S init_module -S finit_module -k modules
111 -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
112 -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
113 -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
114 -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
115 -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
116 -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
117 -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
118 -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
119 -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
120 -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
121 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
122 -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
123 -a always,exit -F arch=b64 -S init_module -S finit_module -F key=modules
124 -a always,exit -F arch=b32 -S init_module -S finit_module -F key=modules
125 -a always,exit -F arch=b64 -S delete_module -F key=modules
126 -a always,exit -F arch=b32 -S delete_module -F key=modules
127 -w /sbin/modprobe -p x -k modules
128 -w /bin/kmod -p x -k module
129 -w /sbin/fdisk -p x -k fdisk

/etc/audit/audit.rules is generated from the file at /etc/audit/rules.d/audit.rules. Removing the following two rules from /etc/audit/rules.d/audit.rules appears to fix the problem

-a always,exit -F arch=b64 -S delete_module -F key=modules
-a always,exit -F arch=b32 -S delete_module -F key=modules

This allows augenrules to then parse the rules file correctly.

root@my-vm:/etc/audit# augenrules --load
No rules
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 7
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 1
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions