Hello, my guess is /home or /home/ubuntu may not exist when the audit
rules are loaded.
The file and directory watches work by setting up inotify watches on the
underlying objects, and if the file or directory doesn't exist, there's
nothing to watch. So, it errors.
You can add -i to the configuration file to have it continue onwards
despite the error:
-i When given by itself, ignore errors when reading rules
from a file. This causes auditctl to always return a
success exit code. If passed as an argument to -s then
it gives an interpretation of the numbers to human
readable words if possible.
I'm not sure what to suggest for actually working around the problem, though.
Reloading the rules some point after booting, once all the filesystems are
mounted, would make sense, but I'm not sure how to ask systemd to do that.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/2020838
Title:
[regression][jammy] augenrules Error sending add rule data request (No
such file or directory)
Status in audit package in Ubuntu:
New
Bug description:
The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F
auid>=1000 -F auid!=unset -k privileged' can not be loaded during
system boot up.
# lsb_release -rc
Release: 22.04
Codename: jammy
# dpkg -l|grep audit
ii auditd 1:3.0.7-1build1
amd64 User space tools for security auditing
ii libaudit-common 1:3.0.7-1build1
all Dynamic library for security auditing - common files
ii libaudit1:amd64 1:3.0.7-1build1
amd64 Dynamic library for security auditing
ii libauparse0:amd64 1:3.0.7-1build1
amd64 Dynamic library for parsing security auditing
# cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$
-D
-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F
auid!=unset -k privileged
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
-b 8192
--backlog_wait_time 60000
-f 1
# ls -l /home/ubuntu/test.sh
-rwxr-xr-x 1 root ubuntu 19 May 25 14:19 /home/ubuntu/test.sh
# cat /home/ubuntu/test.sh
#!/bin/bash
echo 1
# >/etc/audit/audit.rules
reboot the system, no rule can be loaded
# auditctl -l
No rules
syslog:
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule
data request (No such file or directory)
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in
line 5 of /etc/audit/audit.rules
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0
# cat /etc/audit/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F
auid!=unset -k privileged
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
--backlog_wait_time 60000
But I can manually load the rule file. Seems this issue only happen
during system boot up.
# auditctl -R /etc/audit/audit.rules
No rules
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 4
backlog_wait_time 15000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 4
backlog_wait_time 15000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 14
backlog_wait_time 60000
backlog_wait_time_actual 0
# auditctl -l
-a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F
auid!=-1 -F key=privileged
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts
If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh
/usr/bin/test.sh, then I can not reproduce the issue.
Additionally, I have ruled out AppArmor as a factor. I have already disabled
the AppArmor service and append "apparmor=0" into the kernel command line
before rebooting.
Moreover, I can NOT reproduce this issue on Focal(1:2.8.5-2ubuntu6)
There are 2 issues here, I think
1) If the rules can be loaded manually, why can't they be loaded
automatically at system startup?
2) When loading a particular rule fails, why are the subsequent rules
skipped?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/2020838/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
