Hi,
I'm trying to install auditd on my system (Ubuntu 20.04.2 LTS, kernel
5.4.0-72-generic) but I've got the same problem:
# systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor
preset: enabled)
Active: failed (Result: exit-code) since Thu 2021-05-13 11:52:40 CEST;
22min ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 2715947 ExecStart=/sbin/auditd (code=exited, status=1/FAILURE)
May 13 11:52:40 ***.***.** audispd[2715950]: No plugins found, exiting
May 13 11:52:40 ***.***.** auditd[2715948]: Error setting audit daemon pid
(File exists)
May 13 11:52:40 ***.***.** auditd[2715948]: Unable to set audit pid, exiting
May 13 11:52:40 ***.***.** auditd[2715948]: The audit daemon is exiting.
May 13 11:52:40 ***.***.** auditd[2715948]: Error setting audit daemon pid
(Permission denied)
May 13 11:52:40 ***.***.** auditd[2715947]: Cannot daemonize (Success)
May 13 11:52:40 ***.***.** auditd[2715947]: The audit daemon is exiting.
May 13 11:52:40 ***.***.** systemd[1]: auditd.service: Control process exited,
code=exited, status=1/FAILURE
May 13 11:52:40 ***.***.** systemd[1]: auditd.service: Failed with result
'exit-code'.
May 13 11:52:40 ***.***.** systemd[1]: Failed to start Security Auditing
Service.
I've modified the path for pid from /run to /var/run but nothing changed.
This is the output from auditd -f:
Config file /etc/audit/auditd.conf opened for parsing
local_events_parser called with: yes
write_logs_parser called with: yes
log_file_parser called with: /var/log/audit/audit.log
log_group_parser called with: adm
log_format_parser called with: RAW
flush_parser called with: INCREMENTAL_ASYNC
freq_parser called with: 50
max_log_size_parser called with: 8
num_logs_parser called with: 5
priority_boost_parser called with: 4
qos_parser called with: lossy
dispatch_parser called with: /sbin/audispd
name_format_parser called with: NONE
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
verify_email_parser called with: yes
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
use_libwrap_parser called with: yes
tcp_listen_queue_parser called with: 5
Listener support is not enabled, ignoring value at line 30
tcp_max_per_addr_parser called with: 1
Listener support is not enabled, ignoring value at line 31
tcp_client_max_idle_parser called with: 0
Listener support is not enabled, ignoring value at line 33
enable_krb5_parser called with: no
krb5_principal_parser called with: auditd
distribute_network_parser called with: no
Started dispatcher: /sbin/audispd pid: 2734164
type=DAEMON_START msg=audit(1620901085.986:3240): op=start ver=2.8.5 format=raw
kernel=5.4.0-72-generic auid=444800001 pid=2734162 uid=0 ses=105896
subj=unconfined res=success
config_manager init complete
Error setting audit daemon pid (File exists)
type=DAEMON_ABORT msg=audit(1620901085.988:3241): op=set-pid auid=444800001
pid=2734162 uid=0 ses=105896 subj=unconfined res=failed
Unable to set audit pid, exiting
The audit daemon is exiting.
Error setting audit daemon pid (Permission denied)
I've attached also the strace command
** Attachment added: "strace auditd -f"
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1873627/+attachment/5497028/+files/strace_auditd-f.txt
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1873627
Title:
auditd fails after moving /var it a new filesystem and turning
/var/run into a symlink to /run
Status in audit package in Ubuntu:
New
Bug description:
Auditd was working on my system (Ubuntu 18.04LTS, kernel
4.15.0-1065-aws) until recently. But after splitting off /var into a
new filesystem it fails to launch.
running '/sbin/auditd -f' as root indicates a problem writing the pid file
(no file exists even when it says one does) Post config load command output:
Started dispatcher: /sbin/audispd pid: 16927
type=DAEMON_START msg=audit(1587280022.692:2019): op=start ver=2.8.2
format=raw kernel=4.15.0-1065-aws auid=878601141 pid=16925 uid=0 ses=24
subj=unconfined res=success
config_manager init complete
Error setting audit daemon pid (File exists)
type=DAEMON_ABORT msg=audit(1587280022.692:2020): op=set-pid auid=878601141
pid=16925 uid=0 ses=24 subj=unconfined res=failed
Unable to set audit pid, exiting
The audit daemon is exiting.
Error setting audit daemon pid (Permission denied)
/var/run is a symlink to /run
/var/run permissions are 777 root:root
/run permissions are 755f root:root
no /run/auditd.pid and subsiquently no /var/run/auditd.pid exists (even
though the error incorrectly reports otherwise.
/var/log/audit/audit.log output
type=DAEMON_START msg=audit(1587278222.942:5617): op=start ver=2.8.2
format=raw kernel=4.15.0-1065-aws auid=4294967295 pid=7529 uid=0 ses=4294967295
subj=unconf
ined res=success
type=DAEMON_ABORT msg=audit(1587278222.943:5618): op=set-pid auid=4294967295
pid=7529 uid=0 ses=4294967295 subj=unconfined res=failed
I have been pulling my hair out over this one. So I ran 'strace /sbin/auditd
-f' and found the following line in the output.
"openat(AT_FDCWD, "/var/run/auditd.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW,
0644) = 4"
I am grasping at straws, but suspect that the O_NOFOLLOW option is causing a
failure in creating the pid file since /var/run is a symlink. I could be wrong
but I can't find anything else to suspect.
Since it is best practice to split/var into a separate file system to
prevent filling the root filesystem in case of an unexpected increase
in log collection I suspect this is a bug. So either the system needs
to be able to follow symlinks or an option such as pid_file=[filepath]
needs to be available in /etc/audit/auditd.conf.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1873627/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
