[Touch-packages] [Bug 1873627] Re: auditd fails after moving /var it a new filesystem and turning /var/run into a symlink to /run

Seth Arnold Thu, 13 May 2021 15:35:42 -0700

Thanks for the strace, these looked like the 'important' parts:

sendto(3, {{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, seq=3, 
pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa2\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...},
 56, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 56
poll([{fd=3, events=POLLIN}], 1, 500)   = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=3, pid=2734242}, 
{error=-EEXIST, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, 
seq=3, pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa2\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, 
nl_groups=00000000}, [12]) = 76
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=3, pid=2734242}, 
{error=-EEXIST, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, 
seq=3, pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa2\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 
[12]) = 76
write(2, "Error setting audit daemon pid ("..., 44Error setting audit daemon 
pid (File exists)) = 44


...

write(2, "The audit daemon is exiting.", 28The audit daemon is exiting.) = 28
write(2, "\n", 1
)                       = 1
sendto(3, {{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, seq=4, 
pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...},
 56, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 56
poll([{fd=3, events=POLLIN}], 1, 500)   = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=4, pid=2734242}, 
{error=-EACCES, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, 
seq=4, pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, 
nl_groups=00000000}, [12]) = 76
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=4, pid=2734242}, 
{error=-EACCES, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, 
seq=4, pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 
[12]) = 76
write(2, "Error setting audit daemon pid ("..., 50Error setting audit daemon 
pid (Permission denied)) = 50
write(2, "\n", 1
)                       = 1

I don't understand why it's issuing an AUDIT_SET command after it
already decided to exit -- maybe it's just trying to tear itself down
cleanly.


I found a few cases in the kernel code for returning both file exists and 
permission denied:

kernel/audit.c audit_netlink_ok():

                /* Only support auditd and auditctl in initial pid namespace
                 * for now. */
                if (task_active_pid_ns(current) != &init_pid_ns)
                        return -EPERM;

                if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
                        err = -EPERM;
                break;


kernel/audit.c audit_receive_msg():

                        auditd_pid = auditd_pid_vnr();
                        if (auditd_pid) {
                                /* replacing a healthy auditd is not allowed */
                                if (new_pid) {
                                        audit_log_config_change("audit_pid",
                                                        new_pid, auditd_pid, 0);
                                        return -EEXIST;
                                }


kernel/audit.c audit_set_feature():

               /* are we changing a locked feature? */
                if (old_lock && (new_feature != old_feature)) {
                        audit_log_feature_change(i, old_feature, new_feature,
                                                 old_lock, new_lock, 0);
                        return -EPERM;
                }


Do any of these feel applicable to your environment?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1873627

Title:
  auditd fails after moving /var it a new filesystem and turning
  /var/run into a symlink to /run

Status in audit package in Ubuntu:
  Confirmed

Bug description:
  Auditd was working on my system (Ubuntu 18.04LTS, kernel
  4.15.0-1065-aws) until recently. But after splitting off /var into a
  new filesystem it fails to launch.

  running '/sbin/auditd -f' as root indicates a problem writing the pid file 
(no file exists even when it says one does) Post config load command output: 
  Started dispatcher: /sbin/audispd pid: 16927
  type=DAEMON_START msg=audit(1587280022.692:2019): op=start ver=2.8.2 
format=raw kernel=4.15.0-1065-aws auid=878601141 pid=16925 uid=0 ses=24 
subj=unconfined  res=success
  config_manager init complete
  Error setting audit daemon pid (File exists)
  type=DAEMON_ABORT msg=audit(1587280022.692:2020): op=set-pid auid=878601141 
pid=16925 uid=0 ses=24 subj=unconfined  res=failed
  Unable to set audit pid, exiting
  The audit daemon is exiting.
  Error setting audit daemon pid (Permission denied)

  /var/run is a symlink to /run
  /var/run permissions are 777 root:root
  /run permissions are 755f root:root
  no /run/auditd.pid and subsiquently no /var/run/auditd.pid exists (even 
though the error incorrectly reports otherwise.

  /var/log/audit/audit.log output
  type=DAEMON_START msg=audit(1587278222.942:5617): op=start ver=2.8.2 
format=raw kernel=4.15.0-1065-aws auid=4294967295 pid=7529 uid=0 ses=4294967295 
subj=unconf
  ined  res=success
  type=DAEMON_ABORT msg=audit(1587278222.943:5618): op=set-pid auid=4294967295 
pid=7529 uid=0 ses=4294967295 subj=unconfined  res=failed

  I have been pulling my hair out over this one. So I ran 'strace /sbin/auditd 
-f' and found the following line in the output.
  "openat(AT_FDCWD, "/var/run/auditd.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, 
0644) = 4"
  I am grasping at straws, but suspect that the O_NOFOLLOW option is causing a 
failure in creating the pid file since /var/run is a symlink. I could be wrong 
but I can't find anything else to suspect. 

  Since it is best practice to split/var into a separate file system to
  prevent filling the root filesystem in case of an unexpected increase
  in log collection I suspect this is a bug. So either the system needs
  to be able to follow symlinks or an option such as pid_file=[filepath]
  needs to be available in /etc/audit/auditd.conf.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1873627/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1873627] Re: auditd fails after moving /var it a new filesystem and turning /var/run into a symlink to /run

Reply via email to