-
Bug
-
Resolution: Done
-
Undefined
-
rhel-7.9.z, rhel-8.8.0.z, rhel-9.2.0.z
-
None
-
None
-
Moderate
-
1
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
No
-
SECENGSP Cycle 12
-
Pass
-
None
-
Unspecified Release Note Type - Unknown
-
-
All
-
None
- What were you trying to do that didn't work?
Starting the service shows no rule is loaded and no error is seen in the journal for auditd.service unit.
However, searching for auditctl errors in the journal, we can see the following message:
[...] auditctl[2083]: There was an error in line 2 of /etc/audit/audit.rules
The file content looks correct:
# head -2 /etc/audit/audit.rules ## This file is automatically generated from /etc/audit/rules.d -D
But in fact it's not because the file (and corresponding snippet in /etc/audit/rules.d/*.rules) is in DOS mode, causing the issue:
# head -2 /etc/audit/audit.rules | hexdump -C
[...]
00000040 2d 44 0d 0a |-D..|
00000044 ^^^^^
DOS LINEFEED
Please consider hardening auditctl to support DOS files.
Please provide the package NVR for which bug is seen:
audit
How reproducible:
Always
Steps to reproduce
- Convert /etc/audit/rules.d/audit.rules to DOS
# vim /etc/audit/rules.d/audit.rules :set ff=dos :wq
- Restart the audit service
Expected results
Rules loaded or auditd.service failing
Actual results
No rule loaded
- links to
