Error in audit.rules #2
Description
I'm getting this, when trying to apply a copy of the rules files:
-F unknown field: uid
There was an error in line 18 of /etc/audit/audit.rules
Error sending add rule data request (No such file or directory)
There was an error in line 83 of /etc/audit/audit.rules
The two offending lines are:
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
Not sure about the problem with the uid, but the "No such file or directory" makes sense, because I don't have /usr/libexec/openssh/ssh-keysign.
Commenting out those two lines worked for me. I suspect that this is related to my Linux distribution and version? If so, we should probably add a note about supported distros (or which distros the rules file has been tested on) to the README.
I'm on auditd v2.8.2 and here are my OS details:
NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.1 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic