auditd fails to add rules & Error sending add rule data request (Invalid argument)

auditd服务正常运行
[email protected]:~# service auditd status
?.auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: e
nabled)
Active: active (running) since Thu 2016-02-11 16:28:01 UTC; 28s ag
o
Process: 186 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exit
ed, status=0/SUCCESS)
Main PID: 185 (auditd)
CGroup: /system.slice/auditd.service
?..185 /sbin/auditd -n

Feb 11 16:28:01 hgu systemd[1]: Started Security Auditing Service.
Feb 11 16:28:01 hgu auditctl[186]: No rules
Feb 11 16:28:01 hgu auditctl[186]: enabled 1
Feb 11 16:28:01 hgu auditctl[186]: failure 1
Feb 11 16:28:01 hgu auditctl[186]: pid 185
Feb 11 16:28:01 hgu auditctl[186]: rate_limit 0
Feb 11 16:28:01 hgu auditctl[186]: backlog_limit 320
Feb 11 16:28:01 hgu auditctl[186]: lost 0
Feb 11 16:28:01 hgu auditctl[186]: backlog 0
Feb 11 16:28:01 hgu auditctl[186]: backlog_wait_time 60000
[email protected]:~#

问题现象：查看审计规则，无。然后新增一条，返错
#auditctl -l
No rules
#auditctl -a entry,always -F arch=b64 -S execve -k exec
Error sending add rule data request (Invalid argument)

解决方法：
开启选项 CONFIG_AUDITSYSCALL

查看内核（.config文件），CONFIG_AUDITSYSCALL=y 相关的几个选项是否开启。CONFIG_AUDIT=y,只有一个选项在进行配置auditctl是有问题的。
auditd fails to add rules & Error sending add rule data request (Invalid argument)
正常配置
如果menuconfig中勾选内核audit选项还是看不到AUDITSYSCALL,需要关闭OABI_COMPAT.

auditd fails to add rules & Error sending add rule data request (Invalid argument)

相关推荐