Skip to content

auditctl does not accept even it's own example usage

Description:

Trying to add any audit rule with audit package 4.0.2-1 seems to always fail.

This is from EXAMPLES section of the auditctl manpage

# auditctl -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa
path can only be used with exit filter list
There was an error while processing parameters

This is from Arch Wiki

# auditctl -A exclude,always -F exe=/usr/bin/sudo
Add rule - bad keyword exclude,always
There was an error while processing parameters

There is no difference between CLI invocation or loading from /etc/audit/rules.d files through augenrules --load.

Downgrading just to one version back (4.0.1-3) works without any errors with the same rules/invocation.

Building the project from the upstream repo (tag v4.0.2) with their configure flags, then running just the newly built 4.0.2 auditctl with the above rules works without a problem.

Additional info:

  • package version(s): 4.0.2-1
  • link to upstream bug report, if any: --
  • config and/or log files: at the end

Steps to reproduce:

  1. Update to get audit package 4.0.2-1, with the configs as provided by the package, no custom rules in rules.d/
  2. Try to add any rule, for example: auditctl -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa
    Or any other one from the example of quiet.rules at arch wiki

Configs & Log Files

/etc/audit/auditd.conf

#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 2000
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2

journal of auditd service

Aug 15 02:28:51 pc-linux systemd[1]: Starting Security Audit Logging Service...
Aug 15 02:28:51 pc-linux auditd[1496]: No plugins found, not dispatching events
Aug 15 02:28:51 pc-linux auditd[1496]: Init complete, auditd 4.0.2 listening for events (startup state enable)
Aug 15 02:28:51 pc-linux systemd[1]: Started Security Audit Logging Service.

I couldn't find any other diagnostic output so please tell me if there is something more needed I could provide.

Edited by Tomas
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information