You are not logged in.

#1 2024-08-26 00:44:59

clime
Member
Registered: 2022-10-29
Posts: 6

[SOLVED] auditctl returning error

I use audit occasionally to watch different files and directories.
I have script in which I used a line similar to this:

auditctl -a always,exit -F arch=b64 -F dir="$HOME/TestDir" -F perm=rwxa -k temporary

and it worked just fine.
Now when I tried to use that script I get this small error:

dir can only be used with exit filter list
There was an error while processing parameters

If I use the old-style watch rule -

auditctl -w "$HOME/TestDir" -p perm=rwxa -k temporary

- there is no problem, but obviously I get the returned statement 'Old style watch rules are slower' (which is why I'm trying to do it the new way).

I was using the zen kernel, figured that might be causing some kind of issue, so I switched to the lts kernel - but unfortunately there is no difference.

Any ideas what I'm doing wrong and how to fix it?

Last edited by clime (2024-08-27 17:45:22)

Offline

#2 2024-08-26 06:59:14

seth
Member
Registered: 2012-09-03
Posts: 58,669

Re: [SOLVED] auditctl returning error

Does "-a exit,always" work?
Does "auditctl -a exit,always -F dir="$HOME/TestDir" -F arch=b64  -F perm=rwxa -k temporary"?
Does downgrading audit to 4.0.1-3 fix it?

Offline

#3 2024-08-26 23:13:43

clime
Member
Registered: 2022-10-29
Posts: 6

Re: [SOLVED] auditctl returning error

seth wrote:

Does "-a exit,always" work?
Does "auditctl -a exit,always -F dir="$HOME/TestDir" -F arch=b64  -F perm=rwxa -k temporary"?
Does downgrading audit to 4.0.1-3 fix it?

Yes, thank you!
Downgrading the package allows both "-a exit,always" and "-a always,exit" to work.
I should've tried downgrading in the first place, thank you once again.

I should also mention that "-a exit,always" did not work before downgrading. It returned the following:

Append rule - bad keyword exit,always
There was an error while processing parameters

Should I report this issue somewhere?
I'm not sure exactly where would be best - I didn't find any other reports of this on google if anyone else is experiencing it.

Last edited by clime (2024-08-26 23:17:33)

Offline

#4 2024-08-27 04:28:14

singeinfini
Member
Registered: 2020-04-11
Posts: 5

Re: [SOLVED] auditctl returning error

Offline

#5 2024-08-27 17:45:37

clime
Member
Registered: 2022-10-29
Posts: 6

Re: [SOLVED] auditctl returning error

Offline

Board footer

Powered by FluxBB