operation not supported on filtering
Vincent Fiset
vfiset at gmail.com
Mon Dec 3 19:13:57 UTC 2018
> On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> > I got a minimal audit.rules file containing:
> >
> > # cat -n /etc/audit/audit.rules
> > 1 -D
> > 2
> > 3 -b 8192
> > 4
> > 5 -e 0
>
> Why are you ^^^ disabling the audit system? You may want to try commenting
> that out.
I tired to add that to make sure it was not preventing me to add the
filters on msgtype. Normally I use `-e 1`
>
> > 7 -a always,exclude -F msgtype=CWD
> > 8
> > 9 -w /etc/sysctl.conf -p wa -k sysctl
> >
> > When I restart auditd I get:
> >
> > # /etc/init.d/auditd restart
> > Restarting audit daemon: auditd Error sending add rule request
> > (Operation not supported)
> > There was an error in line 7 of /etc/audit/audit.rules
> > failed!
> >
> > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > popular in example all over the internet. I don't understand why I get the
> > error.
> >
> > I use auditd `1:1.7.18-1.1` on debian 7
> >
> > What should I do to make this filter work?
>
> Support for msgtype on the exclude filter goes all the way back to 2005. So,
> it should work unless the kernel was built without audit full support. It
> might also be that if the audit system is disabled, it won't load rules. So,
> I'd try that. The code is very old and behaviors have changed over the years
> (both kernel and user space).
Thanks for the input on that I will try to figure out how to determine
if it was built with audit full support. Any tips on how to achieve
that are welcome.
More information about the Linux-audit
mailing list