operation not supported on filtering

Vincent Fiset vfiset at gmail.com
Tue Dec 4 15:15:47 UTC 2018 

> > here are the flags that I see in proc/config:
> >
> > $ zgrep -i audi /proc/config.gz
> > CONFIG_AUDIT_ARCH=y
> > CONFIG_AUDIT=y
> > CONFIG_HAVE_ARCH_AUDITSYSCALL=y
> > CONFIG_AUDITSYSCALL=y
> > CONFIG_AUDIT_WATCH=y
> > CONFIG_AUDIT_TREE=y
> > CONFIG_NETFILTER_XT_TARGET_AUDIT=m
> > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
> > # CONFIG_KVM_MMU_AUDIT is not set
> > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
> >
> > At this point I am unsure if it's all needed to claim it was built
> > with audit full support. Anything else I should check?
>
> Offhand that looks like all the settings. If you modify line 5 to enable the
> audit system and then comment out the rule at line 7, does it work when you
> restart?
>
> If that works, then you might want to strace loading that rule by command
> line.
>
> strace /sbin/auditctl -a always,exclude -F msgtype=CWD  >  log  2>&1

Unfortunately I already tried that before, strace was not revealing
anything obvious (for me at least)

here is the output if ever you see something:

$ cat -n /etc/audit/audit.rules
     1  -D
     2
     3  -b 8192
     4
     5  #-e 1
     6
     7  #-a exclude,never -F msgtype=CWD
     8
     9  -w /etc/sysctl.conf -p wa -k sysctl

$ /etc/init.d/auditd restart
Restarting audit daemon: auditd.

$ auditctl -l
LIST_RULES: exit,always watch=/etc/sysctl.conf perm=wa key=sysctl

$ strace /sbin/auditctl -a always,exclude -F msgtype=CWD  >  log  2>&1
$ cat log
execve("/sbin/auditctl", ["/sbin/auditctl", "-a", "always,exclude",
"-F", "msgtype=CWD"], [/* 19 vars */]) = 0
brk(0)                                  = 0x226b000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f9339141000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=18800, ...}) = 0
mmap(NULL, 18800, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f933913c000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\\\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=131107, ...}) = 0
mmap(NULL, 2208672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x7f9338d08000
mprotect(0x7f9338d1f000, 2093056, PROT_NONE) = 0
mmap(0x7f9338f1e000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f9338f1e000
mmap(0x7f9338f20000, 13216, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9338f20000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\357\1\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1607696, ...}) = 0
mmap(NULL, 3721272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x7f933897b000
mprotect(0x7f9338aff000, 2093056, PROT_NONE) = 0
mmap(0x7f9338cfe000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x183000) = 0x7f9338cfe000
mmap(0x7f9338d03000, 18488, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9338d03000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f933913b000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f933913a000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f9339139000
arch_prctl(ARCH_SET_FS, 0x7f933913a700) = 0
mprotect(0x7f9338cfe000, 16384, PROT_READ) = 0
mprotect(0x7f9338f1e000, 4096, PROT_READ) = 0
mprotect(0x7f9339143000, 4096, PROT_READ) = 0
munmap(0x7f933913c000, 18800)           = 0
set_tid_address(0x7f933913a9d0)         = 26861
set_robust_list(0x7f933913a9e0, 0x18)   = 0
futex(0x7ffe952c57fc, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME,
1, NULL, 7f933913a700) = -1 EAGAIN (Resource temporarily unavailable)
rt_sigaction(SIGRTMIN, {0x7f9338d0dad0, [], SA_RESTORER|SA_SIGINFO,
0x7f9338d170a0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7f9338d0db60, [],
SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f9338d170a0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=8192*1024}) = 0
getuid()                                = 0
socket(PF_NETLINK, SOCK_RAW, 9)         = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
brk(0)                                  = 0x226b000
brk(0x228c000)                          = 0x228c000
socket(PF_NETLINK, SOCK_RAW, 9)         = 4
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
sendto(4, "\20\0\0\0\350\3\5\0\1\0\0\0\0\0\0\0", 16, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
poll([{fd=4, events=POLLIN}], 1, 500)   = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "$\0\0\0\2\0\0\0\1\0\0\0\355h\0\0\0\0\0\0\20\0\0\0\350\3\5\0\1\0\0\0"...,
8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
groups=00000000}, [12]) = 36
recvfrom(4, "$\0\0\0\2\0\0\0\1\0\0\0\355h\0\0\0\0\0\0\20\0\0\0\350\3\5\0\1\0\0\0"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
[12]) = 36
poll([{fd=4, events=POLLIN}], 1, 100)   = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "8\0\0\0\350\3\0\0\1\0\0\0\355h\0\0\0\0\0\0\1\0\0\0\1\0\0\0$c\0\0"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
[12]) = 56
sendto(4, "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\1\0\0\0\377\377\377\377"...,
796, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 796
poll([{fd=4, events=POLLIN}], 1, 500)   = 1 ([{fd=4, revents=POLLIN}])
recvfrom(4, "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0\0"...,
8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0,
groups=00000000}, [12]) = 816
recvfrom(4, "0\3\0\0\2\0\0\0\2\0\0\0\355h\0\0\241\377\377\377\34\3\0\0\353\3\5\0\2\0\0\0"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
[12]) = 816
write(2, "Error sending add rule request ("..., 56Error sending add
rule request (Operation not supported)) = 56
write(2, "\n", 1
)                       = 1
close(4)                                = 0
exit_group(-1)                          = ?
On Tue, Dec 4, 2018 at 9:51 AM Steve Grubb <sgrubb at redhat.com> wrote:
>
> On Tuesday, December 4, 2018 9:26:29 AM EST Vincent Fiset wrote:
> > here are the flags that I see in proc/config:
> >
> > $ zgrep -i audi /proc/config.gz
> > CONFIG_AUDIT_ARCH=y
> > CONFIG_AUDIT=y
> > CONFIG_HAVE_ARCH_AUDITSYSCALL=y
> > CONFIG_AUDITSYSCALL=y
> > CONFIG_AUDIT_WATCH=y
> > CONFIG_AUDIT_TREE=y
> > CONFIG_NETFILTER_XT_TARGET_AUDIT=m
> > CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
> > # CONFIG_KVM_MMU_AUDIT is not set
> > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
> >
> > At this point I am unsure if it's all needed to claim it was built
> > with audit full support. Anything else I should check?
>
> Offhand that looks like all the settings. If you modify line 5 to enable the
> audit system and then comment out the rule at line 7, does it work when you
> restart?
>
> If that works, then you might want to strace loading that rule by command
> line.
>
> strace /sbin/auditctl -a always,exclude -F msgtype=CWD  >  log  2>&1
>
> -Steve
>
>
> > On Mon, Dec 3, 2018 at 2:13 PM Vincent Fiset <vfiset at gmail.com> wrote:
> > > > On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> > > > > I got a minimal audit.rules file containing:
> > > > >     # cat -n /etc/audit/audit.rules
> > > > >     1  -D
> > > > >     2
> > > > >     3  -b 8192
> > > > >     4
> > > > >     5  -e 0
> > > >
> > > > Why are you ^^^ disabling the audit system? You may want to try
> > > > commenting
> > > > that out.
> > >
> > > I tired to add that to make sure it was not preventing me to add the
> > > filters on msgtype. Normally I use `-e 1`
> > >
> > > > >     7  -a always,exclude -F msgtype=CWD
> > > > >     8
> > > > >     9  -w /etc/sysctl.conf -p wa -k sysctl
> > > > >
> > > > > When I restart auditd I get:
> > > > >     # /etc/init.d/auditd restart
> > > > >     Restarting audit daemon: auditd Error sending add rule request
> > > > >
> > > > > (Operation not supported)
> > > > >
> > > > >     There was an error in line 7 of /etc/audit/audit.rules
> > > > >
> > > > >      failed!
> > > > >
> > > > > instructions like `-a always,exclude -F msgtype=CWD` seems to be very
> > > > > popular in example all over the internet. I don't understand why I
> > > > > get the
> > > > > error.
> > > > >
> > > > > I use auditd `1:1.7.18-1.1` on debian 7
> > > > >
> > > > > What should I do to make this filter work?
> > > >
> > > > Support for msgtype on the exclude filter goes all the way back to
> > > > 2005. So, it should work unless the kernel was built without audit
> > > > full support. It might also be that if the audit system is disabled,
> > > > it won't load rules. So, I'd try that. The code is very old and
> > > > behaviors have changed over the years (both kernel and user space).
> > >
> > > Thanks for the input on that I will try to figure out how to determine
> > > if it was built with audit full support. Any tips on how to achieve
> > > that are welcome.
>
>
>
>


-- 
/VF

More information about the Linux-audit mailing list