[Touch-packages] [Bug 2020838] [NEW] [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

Chuan Li Thu, 25 May 2023 21:15:29 -0700

Public bug reported:


The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 
-F auid!=unset -k privileged' can not be loaded during system boot up.

# lsb_release -rc
Release:        22.04
Codename:       jammy

# dpkg -l|grep audit
ii  auditd                          1:3.0.7-1build1                         
amd64        User space tools for security auditing
ii  libaudit-common                 1:3.0.7-1build1                         all 
         Dynamic library for security auditing - common files
ii  libaudit1:amd64                 1:3.0.7-1build1                         
amd64        Dynamic library for security auditing
ii  libauparse0:amd64               1:3.0.7-1build1                         
amd64        Dynamic library for parsing security auditing

# cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$
-D
-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
-b 8192
--backlog_wait_time 60000
-f 1


# >/etc/audit/audit.rules

reboot the system, no rule can be loaded

# auditctl -l
No rules

syslog:

May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule 
data request (No such file or directory)
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in line 
5 of /etc/audit/audit.rules
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0

# cat /etc/audit/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
--backlog_wait_time 60000

But I can manually load the rule file. Seems this issue only happen
during system boot up.

# auditctl -R /etc/audit/audit.rules
No rules
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 4
backlog_wait_time 15000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 4
backlog_wait_time 15000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 14
backlog_wait_time 60000
backlog_wait_time_actual 0


# auditctl -l
-a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=-1 -F key=privileged
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts


If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh 
/usr/bin/test.sh, then I can not reproduce the issue. 
Additionally, I have ruled out AppArmor as a factor. I have already disabled 
the AppArmor service and append "apparmor=0" into the kernel command line 
before rebooting. 

Moreover, I can NOT reproduce this issue on Focal(1:2.8.5-2ubuntu6)


There are 2 issues here, I think

1) If the rules can be loaded manually, why can't they be loaded
automatically at system startup?

2) When loading a particular rule fails, why are the subsequent rules
skipped?

** Affects: audit (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: sts

** Tags added: sts

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/2020838

Title:
  [regression][jammy] augenrules Error sending add rule data request (No
  such file or directory)

Status in audit package in Ubuntu:
  New

Bug description:
  
  The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 
-F auid!=unset -k privileged' can not be loaded during system boot up.

  # lsb_release -rc
  Release:      22.04
  Codename:     jammy

  # dpkg -l|grep audit
  ii  auditd                          1:3.0.7-1build1                         
amd64        User space tools for security auditing
  ii  libaudit-common                 1:3.0.7-1build1                         
all          Dynamic library for security auditing - common files
  ii  libaudit1:amd64                 1:3.0.7-1build1                         
amd64        Dynamic library for security auditing
  ii  libauparse0:amd64               1:3.0.7-1build1                         
amd64        Dynamic library for parsing security auditing

  # cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$
  -D
  -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
  -b 8192
  --backlog_wait_time 60000
  -f 1

  
  # >/etc/audit/audit.rules

  reboot the system, no rule can be loaded

  # auditctl -l
  No rules

  syslog:

  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule 
data request (No such file or directory)
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in 
line 5 of /etc/audit/audit.rules
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0

  # cat /etc/audit/audit.rules
  ## This file is automatically generated from /etc/audit/rules.d
  -D
  -b 8192
  -f 1
  -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
  --backlog_wait_time 60000

  But I can manually load the rule file. Seems this issue only happen
  during system boot up.

  # auditctl -R /etc/audit/audit.rules
  No rules
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 4
  backlog_wait_time 15000
  backlog_wait_time_actual 0
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 4
  backlog_wait_time 15000
  backlog_wait_time_actual 0
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 14
  backlog_wait_time 60000
  backlog_wait_time_actual 0

  
  # auditctl -l
  -a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=-1 -F key=privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts

  
  If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh 
/usr/bin/test.sh, then I can not reproduce the issue. 
  Additionally, I have ruled out AppArmor as a factor. I have already disabled 
the AppArmor service and append "apparmor=0" into the kernel command line 
before rebooting. 

  Moreover, I can NOT reproduce this issue on Focal(1:2.8.5-2ubuntu6)

  
  There are 2 issues here, I think

  1) If the rules can be loaded manually, why can't they be loaded
  automatically at system startup?

  2) When loading a particular rule fails, why are the subsequent rules
  skipped?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/2020838/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2020838] [NEW] [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

Reply via email to