© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
After many experiments, I discovered an inconspicuous syntax error in audit.rules
Here are two seemingly identical lines:
-a exit,always -F arch=b64 -F euid=0 -S execve –k root_actions
-a exit,always -F arch=b64 -F euid=0 -S execve -k root_actions
Their only difference is that in the first line (copy-pasted from another source), the dash before "–k" is not the standard dash character, although it appears exactly the same in the console.
When changing to a standard dash, the mentioned error is "error in line 6 of /etc/audit/
I absolutely don`t understand the role of Rsyslog configuration changes in this. But paradoxically, this error in the dash character only manifests itself in this case. Before that, a string with a non-standard dash in audit.rules was accepted by auditd without problems on both my servers.