There are duplicate rules defined in the audit rules file. This causes issues when trying to reload the rules (using augenrules --load
) or adding new rules.
After deploying Azure STIG Template on a ubuntu image, I get the following error message
root@my-vm:/etc/audit# augenrules --load
/sbin/augenrules: No change
No rules
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 6
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 1
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0
Error sending add rule data request (Rule exists)
There was an error in line 123 of /etc/audit/audit.rules
1 ## This file is automatically generated from /etc/audit/rules.d
2 -D
3 -b 8192
4 -f 1
5 --backlog_wait_time 0
6 -w /var/log/tallylog -p wa -k logins
7 -w /var/log/faillog -p wa -k logins
8 -w /var/log/lastlog -p wa -k logins
9 -w /var/log/sudo.log -p wa -k priv_actions
10 -w /var/log/wtmp -p wa -k logins
11 -w /var/run/utmp -p wa -k logins
12 -w /var/log/btmp -p wa -k logins
13 -w /etc/passwd -p wa -k usergroup_modification
14 -w /etc/group -p wa -k usergroup_modification
15 -w /etc/gshadow -p wa -k usergroup_modification
16 -w /etc/shadow -p wa -k usergroup_modification
17 -w /etc/security/opasswd -p wa -k usergroup_modification
18 -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change
19 -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn
20 -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount
21 -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount
22 -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
23 -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
24 -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
25 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
26 -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
27 -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
28 -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
29 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
30 -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
31 -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
32 -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
33 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
34 -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
35 -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
36 -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
37 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
38 -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
39 -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
40 -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
41 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
42 -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
43 -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
44 -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
45 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
46 -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
47 -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
48 -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng
49 -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng
50 -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=-1 -k perm_chng
51 -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=-1 -k perm_chng
52 -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_chng
53 -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_chng
54 -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng
55 -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng
56 -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng
57 -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng
58 -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng
59 -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng
60 -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
61 -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
62 -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
63 -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
64 -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
65 -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
66 -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
67 -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
68 -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
69 -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
70 -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
71 -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
72 -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
73 -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
74 -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
75 -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
76 -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
77 -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
78 -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
79 -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
80 -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
81 -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
82 -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd
83 -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update
84 -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd
85 -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage
86 -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod
87 -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab
88 -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check
89 -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
90 -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
91 -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
92 -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
93 -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
94 -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
95 -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_chng
96 -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_chng
97 -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_chng
98 -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_chng
99 -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_chng
100 -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_chng
101 -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=-1 -k delete
102 -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=-1 -k delete
103 -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete
104 -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete
105 -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=-1 -k delete
106 -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=-1 -k delete
107 -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=-1 -k delete
108 -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=-1 -k delete
109 -a always,exit -F arch=b32 -S init_module -S finit_module -k modules
110 -a always,exit -F arch=b64 -S init_module -S finit_module -k modules
111 -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
112 -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
113 -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
114 -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
115 -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
116 -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
117 -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
118 -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
119 -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
120 -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
121 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
122 -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
123 -a always,exit -F arch=b64 -S init_module -S finit_module -F key=modules
124 -a always,exit -F arch=b32 -S init_module -S finit_module -F key=modules
125 -a always,exit -F arch=b64 -S delete_module -F key=modules
126 -a always,exit -F arch=b32 -S delete_module -F key=modules
127 -w /sbin/modprobe -p x -k modules
128 -w /bin/kmod -p x -k module
129 -w /sbin/fdisk -p x -k fdisk
-a always,exit -F arch=b64 -S delete_module -F key=modules
-a always,exit -F arch=b32 -S delete_module -F key=modules
This allows augenrules to then parse the rules file correctly.
root@my-vm:/etc/audit# augenrules --load
No rules
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 7
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 1
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0