from:"Chuan Li"

[Touch-packages] [Bug 2020163] [NEW] only = and != equations work for auid field

2023-05-18 Thread Chuan Li

Public bug reported:

lsb_release -rc
Release:22.04
Codename:   jammy


dpkg -l|grep audi
ii  auditd  1:3.0.7-1build1 
amd64User space tools for security auditing
ii  libaudit-common 1:3.0.7-1build1 all 
 Dynamic library for security auditing - common files
ii  libaudit1:amd64 1:3.0.7-1build1 
amd64Dynamic library for security auditing
ii  libauparse0:amd64   1:3.0.7-1build1 
amd64Dynamic library for parsing security auditing

work for = and !=
$ sudo auditctl -a always,exit -F auid=1000
$ sudo auditctl -a always,exit -F auid!=1000
$ sudo auditctl -D
No rules

Do not work for < > <= >=

$ sudo auditctl -a always,exit -F auid<1000
-bash: 1000: No such file or directory
$ sudo auditctl -a always,exit -F auid>1000
-F missing operation for auid
$ sudo auditctl -a always,exit -F auid<=1000
-F missing operation for auid
$ sudo auditctl -a always,exit -F auid>=1000
-F missing operation for auid

 sudo auditctl -a always,exit -F auidubuntu
-F missing operation for auid
 sudo auditctl -a always,exit -F auid<=ubuntu
bash: =ubuntu: No such file or directory
 sudo auditctl -a always,exit -F auid>=ubuntu
-F missing operation for auid
 sudo auditctl -a always,exit -F auid>'ubuntu'
-F missing operation for auid
 sudo auditctl -a always,exit -F auid<'ubuntu'
-F missing operation for auid
 sudo auditctl -a always,exit -F auid<='ubuntu'
-F missing operation for auid
 sudo auditctl -a always,exit -F auid>='ubuntu'
-F missing operation for auid

** Affects: audit (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: sts

** Tags added: sts

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/2020163

Title:
  only = and != equations work for auid field

Status in audit package in Ubuntu:
  New

Bug description:
  lsb_release -rc
  Release:  22.04
  Codename: jammy

  
  dpkg -l|grep audi
  ii  auditd  1:3.0.7-1build1 
amd64User space tools for security auditing
  ii  libaudit-common 1:3.0.7-1build1 
all  Dynamic library for security auditing - common files
  ii  libaudit1:amd64 1:3.0.7-1build1 
amd64Dynamic library for security auditing
  ii  libauparse0:amd64   1:3.0.7-1build1 
amd64Dynamic library for parsing security auditing

  work for = and !=
  $ sudo auditctl -a always,exit -F auid=1000
  $ sudo auditctl -a always,exit -F auid!=1000
  $ sudo auditctl -D
  No rules

  Do not work for < > <= >=

  $ sudo auditctl -a always,exit -F auid<1000
  -bash: 1000: No such file or directory
  $ sudo auditctl -a always,exit -F auid>1000
  -F missing operation for auid
  $ sudo auditctl -a always,exit -F auid<=1000
  -F missing operation for auid
  $ sudo auditctl -a always,exit -F auid>=1000
  -F missing operation for auid

   sudo auditctl -a always,exit -F auidubuntu
  -F missing operation for auid
   sudo auditctl -a always,exit -F auid<=ubuntu
  bash: =ubuntu: No such file or directory
   sudo auditctl -a always,exit -F auid>=ubuntu
  -F missing operation for auid
   sudo auditctl -a always,exit -F auid>'ubuntu'
  -F missing operation for auid
   sudo auditctl -a always,exit -F auid<'ubuntu'
  -F missing operation for auid
   sudo auditctl -a always,exit -F auid<='ubuntu'
  -F missing operation for auid
   sudo auditctl -a always,exit -F auid>='ubuntu'
  -F missing operation for auid

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/2020163/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2020838] [NEW] [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

2023-05-25 Thread Chuan Li

Public bug reported:


The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 
-F auid!=unset -k privileged' can not be loaded during system boot up.

# lsb_release -rc
Release:22.04
Codename:   jammy

# dpkg -l|grep audit
ii  auditd  1:3.0.7-1build1 
amd64User space tools for security auditing
ii  libaudit-common 1:3.0.7-1build1 all 
 Dynamic library for security auditing - common files
ii  libaudit1:amd64 1:3.0.7-1build1 
amd64Dynamic library for security auditing
ii  libauparse0:amd64   1:3.0.7-1build1 
amd64Dynamic library for parsing security auditing

# cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$
-D
-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
-b 8192
--backlog_wait_time 6
-f 1


# >/etc/audit/audit.rules

reboot the system, no rule can be loaded

# auditctl -l
No rules

syslog:

May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule 
data request (No such file or directory)
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in line 
5 of /etc/audit/audit.rules
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0

# cat /etc/audit/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
--backlog_wait_time 6

But I can manually load the rule file. Seems this issue only happen
during system boot up.

# auditctl -R /etc/audit/audit.rules
No rules
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 4
backlog_wait_time 15000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 4
backlog_wait_time 15000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 14
backlog_wait_time 6
backlog_wait_time_actual 0


# auditctl -l
-a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=-1 -F key=privileged
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts


If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh 
/usr/bin/test.sh, then I can not reproduce the issue. 
Additionally, I have ruled out AppArmor as a factor. I have already disabled 
the AppArmor service and append "apparmor=0" into the kernel command line 
before rebooting. 

Moreover, I can NOT reproduce this issue on Focal(1:2.8.5-2ubuntu6)


There are 2 issues here, I think

1) If the rules can be loaded manually, why can't they be loaded
automatically at system startup?

2) When loading a particular rule fails, why are the subsequent rules
skipped?

** Affects: audit (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: sts

** Tags added: sts

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/2020838

Title:
  [regression][jammy] augenrules Error sending add rule data request (No
  such file or directory)

Status in audit package in Ubuntu:
  New

Bug description:
  
  The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 
-F auid!=unset -k privileged' can not be loaded during system boot up.

  # lsb_release -rc
  Release:  22.04
  Codename: jammy

  # dpkg -l|grep audit
  ii  audi

[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

2023-05-25 Thread Chuan Li

** Description changed:

- 
- The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 
-F auid!=unset -k privileged' can not be loaded during system boot up.
+ The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F
+ auid>=1000 -F auid!=unset -k privileged' can not be loaded during system
+ boot up.
  
  # lsb_release -rc
  Release:  22.04
  Codename: jammy
  
  # dpkg -l|grep audit
  ii  auditd  1:3.0.7-1build1 
amd64User space tools for security auditing
  ii  libaudit-common 1:3.0.7-1build1 
all  Dynamic library for security auditing - common files
  ii  libaudit1:amd64 1:3.0.7-1build1 
amd64Dynamic library for security auditing
  ii  libauparse0:amd64   1:3.0.7-1build1 
amd64Dynamic library for parsing security auditing
  
  # cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$
  -D
  -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
  -b 8192
  --backlog_wait_time 6
  -f 1
+ 
+ # ls -l /home/ubuntu/test.sh 
+ -rwxr-xr-x 1 root ubuntu 19 May 25 14:19 /home/ubuntu/test.sh
+ 
+ # cat /home/ubuntu/test.sh
+ #!/bin/bash
+ echo 1
  
  
  # >/etc/audit/audit.rules
  
  reboot the system, no rule can be loaded
  
  # auditctl -l
  No rules
  
  syslog:
  
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule 
data request (No such file or directory)
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in 
line 5 of /etc/audit/audit.rules
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0
  
  # cat /etc/audit/audit.rules
  ## This file is automatically generated from /etc/audit/rules.d
  -D
  -b 8192
  -f 1
  -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
  --backlog_wait_time 6
  
  But I can manually load the rule file. Seems this issue only happen
  during system boot up.
  
  # auditctl -R /etc/audit/audit.rules
  No rules
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 4
  backlog_wait_time 15000
  backlog_wait_time_actual 0
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 4
  backlog_wait_time 15000
  backlog_wait_time_actual 0
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 14
  backlog_wait_time 6
  backlog_wait_time_actual 0
  
- 
  # auditctl -l
  -a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=-1 -F key=privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts
  
- 
- If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh 
/usr/bin/test.sh, then I can not reproduce the issue. 
- Additionally, I have ruled out AppArmor as a factor. I have already disabled 
the AppArmor service and append "apparmor=0" into the kernel command line 
before rebooting. 
+ If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh 
/usr/bin/test.sh, then I can not reproduce the issue.
+ Additionally, I have ruled out AppArmor as a factor. I have already disabled 
the AppArmor service and append "apparmor=0" into the kernel command line 
before rebooting.
  
  Moreover, I can NOT reproduce this issue on Focal(1:2.8.5-2ubuntu6)
- 
  
  There are 2 issues here, I think
  
  1) If the rules can be loaded manually, why can't they be

[Touch-packages] [Bug 2020163] Re: only = and != equations work for auid field

2023-05-25 Thread Chuan Li

> and < should be escaped in shell. It's not a bug. closing it.

** Changed in: audit (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/2020163

Title:
  only = and != equations work for auid field

Status in audit package in Ubuntu:
  Invalid

Bug description:
  lsb_release -rc
  Release:  22.04
  Codename: jammy

  
  dpkg -l|grep audi
  ii  auditd  1:3.0.7-1build1 
amd64User space tools for security auditing
  ii  libaudit-common 1:3.0.7-1build1 
all  Dynamic library for security auditing - common files
  ii  libaudit1:amd64 1:3.0.7-1build1 
amd64Dynamic library for security auditing
  ii  libauparse0:amd64   1:3.0.7-1build1 
amd64Dynamic library for parsing security auditing

  work for = and !=
  $ sudo auditctl -a always,exit -F auid=1000
  $ sudo auditctl -a always,exit -F auid!=1000
  $ sudo auditctl -D
  No rules

  Do not work for < > <= >=

  $ sudo auditctl -a always,exit -F auid<1000
  -bash: 1000: No such file or directory
  $ sudo auditctl -a always,exit -F auid>1000
  -F missing operation for auid
  $ sudo auditctl -a always,exit -F auid<=1000
  -F missing operation for auid
  $ sudo auditctl -a always,exit -F auid>=1000
  -F missing operation for auid

   sudo auditctl -a always,exit -F auidubuntu
  -F missing operation for auid
   sudo auditctl -a always,exit -F auid<=ubuntu
  bash: =ubuntu: No such file or directory
   sudo auditctl -a always,exit -F auid>=ubuntu
  -F missing operation for auid
   sudo auditctl -a always,exit -F auid>'ubuntu'
  -F missing operation for auid
   sudo auditctl -a always,exit -F auid<'ubuntu'
  -F missing operation for auid
   sudo auditctl -a always,exit -F auid<='ubuntu'
  -F missing operation for auid
   sudo auditctl -a always,exit -F auid>='ubuntu'
  -F missing operation for auid

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/2020163/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

2023-05-30 Thread Chuan Li

Hi Seth,

Thank you for the advice of "-i". It works if I append "-i" into the
problematic line.

It's strange that:

1) I can not see any difference between /home/ubuntu/test.sh, /
opt/test.sh,  /etc/test.sh and /usr/bin/test.sh, as there is no
separated partition

lsblk 
vda 252:0020G  0 disk 
├─vda1  252:10  19.9G  0 part /
├─vda14 252:14   0 4M  0 part 
└─vda15 252:15   0   106M  0 part /boot/efi

2) Focal can not reproduce the issue.


Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/2020838

Title:
  [regression][jammy] augenrules Error sending add rule data request (No
  such file or directory)

Status in audit package in Ubuntu:
  New

Bug description:
  The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F
  auid>=1000 -F auid!=unset -k privileged' can not be loaded during
  system boot up.

  # lsb_release -rc
  Release:  22.04
  Codename: jammy

  # dpkg -l|grep audit
  ii  auditd  1:3.0.7-1build1 
amd64User space tools for security auditing
  ii  libaudit-common 1:3.0.7-1build1 
all  Dynamic library for security auditing - common files
  ii  libaudit1:amd64 1:3.0.7-1build1 
amd64Dynamic library for security auditing
  ii  libauparse0:amd64   1:3.0.7-1build1 
amd64Dynamic library for parsing security auditing

  # cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$
  -D
  -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
  -b 8192
  --backlog_wait_time 6
  -f 1

  # ls -l /home/ubuntu/test.sh 
  -rwxr-xr-x 1 root ubuntu 19 May 25 14:19 /home/ubuntu/test.sh

  # cat /home/ubuntu/test.sh
  #!/bin/bash
  echo 1

  
  # >/etc/audit/audit.rules

  reboot the system, no rule can be loaded

  # auditctl -l
  No rules

  syslog:

  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule 
data request (No such file or directory)
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in 
line 5 of /etc/audit/audit.rules
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0

  # cat /etc/audit/audit.rules
  ## This file is automatically generated from /etc/audit/rules.d
  -D
  -b 8192
  -f 1
  -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
  --backlog_wait_time 6

  But I can manually load the rule file. Seems this issue only happen
  during system boot up.

  # auditctl -R /etc/audit/audit.rules
  No rules
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 4
  backlog_wait_time 15000
  backlog_wait_time_actual 0
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 4
  backlog_wait_time 15000
  backlog_wait_time_actual 0
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 14
  backlog_wait_time 6
  backlog_wait_time_actual 0

  # auditctl -l
  -a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=-1 -F key=privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts

  If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh 
/usr/bin/test.sh, then I can not reproduce the issue.
  Additionally, I have ruled out AppArmor as a factor

[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

2023-05-30 Thread Chuan Li

Comparing the files /etc/systemd/system/multi-user.target.wants/auditd.service 
between Focal and Jammy, 
I can see Jammy has the line "ProtectHome=true", If I remove this line and 
reboot the system, then the rule can be loaded along with system bootup

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/2020838

Title:
  [regression][jammy] augenrules Error sending add rule data request (No
  such file or directory)

Status in audit package in Ubuntu:
  New

Bug description:
  The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F
  auid>=1000 -F auid!=unset -k privileged' can not be loaded during
  system boot up.

  # lsb_release -rc
  Release:  22.04
  Codename: jammy

  # dpkg -l|grep audit
  ii  auditd  1:3.0.7-1build1 
amd64User space tools for security auditing
  ii  libaudit-common 1:3.0.7-1build1 
all  Dynamic library for security auditing - common files
  ii  libaudit1:amd64 1:3.0.7-1build1 
amd64Dynamic library for security auditing
  ii  libauparse0:amd64   1:3.0.7-1build1 
amd64Dynamic library for parsing security auditing

  # cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$
  -D
  -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
  -b 8192
  --backlog_wait_time 6
  -f 1

  # ls -l /home/ubuntu/test.sh 
  -rwxr-xr-x 1 root ubuntu 19 May 25 14:19 /home/ubuntu/test.sh

  # cat /home/ubuntu/test.sh
  #!/bin/bash
  echo 1

  
  # >/etc/audit/audit.rules

  reboot the system, no rule can be loaded

  # auditctl -l
  No rules

  syslog:

  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule 
data request (No such file or directory)
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in 
line 5 of /etc/audit/audit.rules
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0

  # cat /etc/audit/audit.rules
  ## This file is automatically generated from /etc/audit/rules.d
  -D
  -b 8192
  -f 1
  -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
  --backlog_wait_time 6

  But I can manually load the rule file. Seems this issue only happen
  during system boot up.

  # auditctl -R /etc/audit/audit.rules
  No rules
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 4
  backlog_wait_time 15000
  backlog_wait_time_actual 0
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 4
  backlog_wait_time 15000
  backlog_wait_time_actual 0
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 14
  backlog_wait_time 6
  backlog_wait_time_actual 0

  # auditctl -l
  -a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=-1 -F key=privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts

  If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh 
/usr/bin/test.sh, then I can not reproduce the issue.
  Additionally, I have ruled out AppArmor as a factor. I have already disabled 
the AppArmor service and append "apparmor=0" into the kernel command line 
before rebooting.

  Moreover, I can NOT reproduce this issue on Focal(1:2.8.5-2ubuntu6)

  There are 2 issues here,

[Touch-packages] [Bug 2020163] [NEW] only = and != equations work for auid field

[Touch-packages] [Bug 2020838] [NEW] [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

[Touch-packages] [Bug 2020163] Re: only = and != equations work for auid field

[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

6 matches

Site Navigation

Mail list logo

Footer information