You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm getting this, when trying to apply a copy of the rules files:
-F unknown field: uid
There was an error in line 18 of /etc/audit/audit.rules
Error sending add rule data request (No such file or directory)
There was an error in line 83 of /etc/audit/audit.rules
Not sure about the problem with the uid, but the "No such file or directory" makes sense, because I don't have /usr/libexec/openssh/ssh-keysign.
Commenting out those two lines worked for me. I suspect that this is related to my Linux distribution and version? If so, we should probably add a note about supported distros (or which distros the rules file has been tested on) to the README.
@lennartkoopmann Thank you for noting this issue! I went ahead and commented out those affected rules in the ruleset until I get a chance to tinker with things.
And, you are most correct about establishing what flavors this has been tested on. I've been testing individual rules on Ubuntu 16, and an older version of Fedora. I need to put together a process and get updated / latest "greatest" and test the ruleset from there. It might just be a matter of creating separate rulesets across multiple different flavors of Linux and putting out rulesets based off those findings.
Time is pretty tight for me at the moment, but I am going to leave this issue open and will put updates in here related to my progress.
Thanks! I'm running this against Ubuntu Server 18.04 and Ubuntu (Workstation) 18.04 and hade to make a few adjustments. Adjusting exclusions for Firefox cache etc, too.
I'm getting this, when trying to apply a copy of the rules files:
The two offending lines are:
Not sure about the problem with the
uid
, but the "No such file or directory" makes sense, because I don't have/usr/libexec/openssh/ssh-keysign
.Commenting out those two lines worked for me. I suspect that this is related to my Linux distribution and version? If so, we should probably add a note about supported distros (or which distros the rules file has been tested on) to the README.
I'm on
auditd
v2.8.2 and here are my OS details:The text was updated successfully, but these errors were encountered: