Auditd Rules Error – Fixing Missing Operation for AUID

auditdcentoshardeninglinuxUbuntu

i am trying to setup the below rule in /etc/audit/audit.rules

-a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>= 1000 -F auid!=4294967295 -k delete

which didn't work so i tried executing it directly from command line as so :

auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>= 1000 -F auid!=4294967295 -k delete

But i am getting the following error :
-F missing operation for auid

Can someone guide me on how to fix this issue ?

Best Answer

Executing the mentioned lines leads to greater than sign > being interpreted as redirect operator by your shell, which is presumably bash. For that reason the operation for auid is missing, because everthing after > is not part of the command anymore. You probably see a file named = in your current directory.

To properly execute you have to escape > for example like this:

auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid\>= 1000 -F auid!=4294967295 -k delete

or like this:

auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F "auid>=1000" -F auid!=4294967295 -k delete

Best Answer

Related Solutions

Centos – Trying to install phptheadmin – getting error 500

Linux – Trying to install gd, getting conflict error

Related Topic