Hide Forgot
Description of problem: Freshly built system: # auditctl -R /usr/share/doc/audit-2.4.5/stig.rules No rules enabled 1 failure 2 pid 1518 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 enabled 1 failure 2 pid 1518 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 usage: auditctl [options] -a <l,a> Append rule to end of <l>ist with <a>ction -A <l,a> Add rule at beginning of <l>ist with <a>ction -b <backlog> Set max number of outstanding audit buffers allowed Default=64 -c Continue through errors in rules -C f=f Compare collected fields if available: Field name, operator(=,!=), field name -d <l,a> Delete rule from <l>ist with <a>ction l=task,exit,user,exclude a=never,always -D Delete all rules and watches -e [0..2] Set enabled flag -f [0..2] Set failure flag 0=silent 1=printk 2=panic -F f=v Build rule: field name, operator(=,!=,<,>,<=, >=,&,&=) value -h Help -i Ignore errors when reading rules from file -k <key> Set filter key on audit rule -l List rules -m text Send a user-space message -p [r|w|x|a] Set permissions filter on watch r=read, w=write, x=execute, a=attribute -q <mount,subtree> make subtree part of mount point's dir watches -r <rate> Set limit in messages/sec (0=none) -R <file> read rules from file -s Report status -S syscall Build rule: syscall name or number -t Trim directory watches -v Version -w <path> Insert watch at <path> -W <path> Remove watch at <path> Straight away in the messages file I see: Dec 9 17:54:10 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules Version-Release number of selected component (if applicable): [root@localhost sosreport-tollops-20161209175432] # cat installed-rpms | grep -i audit audit-2.4.5-3.el6.x86_64 Fri Dec 9 17:41:14 2016 audit-libs-2.4.5-3.el6.x86_64 Fri Dec 9 17:38:00 2016 How reproducible: freshly installed system Actual results: Error messages in /var/log/messages - Dec 9 17:48:30 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules Dec 9 17:48:53 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules Dec 9 17:49:03 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules Dec 9 17:52:15 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules Dec 9 17:53:35 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules Dec 9 17:54:10 localhost auditctl: There was an error in line 17 of /usr/share/doc/audit-2.4.5/stig.rules Expected results: No error messages Additional info:
You are right. This is not functional. The --loginuid-immutable is only a RHEL7 feature. So, comment out/delete that line. I'll see about getting a 6.9 fix in place.
audit-2.4.5-6.el6 was built to address this issue.
Successfully verified. All provided rules files can be loaded correctly on all supported 64-bit architectures. All rules are loaded correctly. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Checking /usr/share/doc/audit-2.4.5/capp.rules :: [ PASS ] :: Loading /usr/share/doc/audit-2.4.5/capp.rules (Expected 0, got 0) :: [ PASS ] :: Checking number of rules loaded (Assert: '63' should equal '63') :: [ PASS ] :: Removing all rules (Expected 0, got 0) :: [ LOG ] :: Checking /usr/share/doc/audit-2.4.5/lspp.rules :: [ INFO ] :: using '/var/tmp/beakerlib-49465331/backup' as backup destination :: [ PASS ] :: Loading /usr/share/doc/audit-2.4.5/lspp.rules (Expected 0, got 0) :: [ PASS ] :: Checking number of rules loaded (Assert: '81' should equal '81') :: [ PASS ] :: Removing all rules (Expected 0, got 0) :: [ LOG ] :: Checking /usr/share/doc/audit-2.4.5/nispom.rules :: [ INFO ] :: using '/var/tmp/beakerlib-49465331/backup' as backup destination :: [ PASS ] :: Loading /usr/share/doc/audit-2.4.5/nispom.rules (Expected 0, got 0) :: [ PASS ] :: Checking number of rules loaded (Assert: '36' should equal '36') :: [ LOG ] :: Rule "-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale" is not loaded - an exception :: [ PASS ] :: Removing all rules (Expected 0, got 0) :: [ LOG ] :: Checking /usr/share/doc/audit-2.4.5/stig.rules :: [ INFO ] :: using '/var/tmp/beakerlib-49465331/backup' as backup destination :: [ PASS ] :: Loading /usr/share/doc/audit-2.4.5/stig.rules (Expected 0, got 0) :: [ PASS ] :: Checking number of rules loaded (Assert: '35' should equal '35') :: [ LOG ] :: Rule "-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale" is not loaded - an exception :: [ LOG ] :: Rule "-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy" is not loaded - an exception :: [ PASS ] :: Removing all rules (Expected 0, got 0) :: [ LOG ] :: Duration: 4m 53s :: [ LOG ] :: Assertions: 12 good, 0 bad :: [ PASS ] :: RESULT: Test See TJ#1645624 for more details. Also, please notice that none of the rules files cannot be loaded on i386 but that is expected because rules are intended for 64-bit architectures.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0593.html