Debian GNU/Linux

auditctl: Error sending add rule data request (Invalid argument) - Enable CONFIG_AUDITSYSCALL in kernel config

Reported by Chris Bozic on 2007-09-18
8
Affects Status Importance Assigned to Milestone
audit (Debian)
Fix Released
Unknown
audit (Ubuntu)
Medium
Unassigned
linux (Ubuntu)
Medium
Stefan Bader

Bug Description

Binary package hint: auditd

After a clean install and synaptic update of Gutsy, I installed auditd. However, I am unable to configure it using /etc/auditd/audit.rules, the auditctl command line tool, or the example sample.rules file in /usr/share/doc/auditd/examples. Basically, if I run:

sudo auditctl -w /etc/passwd

I get the following error:

Error sending add rule data request (Invalid argument)

CVE References

Tyler Mitchell (fission) wrote :

I am also seeing this behaviour. I see a [kauditd] and /sbin/auditd running, yet none of the examples actually seem to work.

Andrew Whyte (andrew-whyte) wrote :

Same here:

$ sudo service auditd status
=> * auditd is running.

$ sudo auditctl -w /etc/passwd
=> Error sending add rule data request (Invalid argument)

Has anyone found a solution? Apparently auditing has moved into the kernel, but I can't see any evidence of this in Gutsy. As it is, the "auditd" package is pretty useless...

To the best of my knowledge, the auditd package only seems to work when
using AppArmor. However, using regular auditd configurations like those
mentioned in previous posts do not work. That is unfortunate since AppArmor
doesn't meet my auditing requirements and it appears (from what I've read
about it) that auditd should.

Chris Bozic

On Nov 30, 2007 6:12 AM, Andrew Whyte <email address hidden> wrote:

> Same here:
>
> $ sudo service auditd status
> => * auditd is running.
>
> $ sudo auditctl -w /etc/passwd
> => Error sending add rule data request (Invalid argument)
>
> Has anyone found a solution? Apparently auditing has moved into the
> kernel, but I can't see any evidence of this in Gutsy. As it is, the
> "auditd" package is pretty useless...
>
> --
> auditctl: Error sending add rule data request (Invalid argument)
> https://bugs.launchpad.net/bugs/140784
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Mathias Gug (mathiaz) on 2008-01-05
Changed in audit:
status: New → Unknown
Changed in audit:
status: Unknown → New

I'm observing this problem as well (with the Gutsy version of the auditd package, 1.5.4). I'm unable to add any auditing rules via "auditctl". It's not evident whether this is a problem with the "auditd" demon or "auditctl".

Surprisingly, this problem does not seem to be happening to the Red Hat users, because there are no complaints on the auditd forum on Red Hat, from where this package originates. The problem only seems to be occurring for Debian/Ubuntu users. This suggests it may be the result of a dependency problem, where Ubuntu is using a different package set than the Red Hat folks. But that's just a guess.

I tried installing a more recent version of the auditd package (1.6.4), along with the dependent packages (e.g., libc), and continued having the same problem.

If anyone has any insight into why this is a problem in Ubuntu, and not Red Hat, I would appreciate help.

BIll Brennan

Mathias Gug (mathiaz) wrote :

The kernel config should have the CONFIG_AUDITSYSCALL option set (see https://www.redhat.com/archives/linux-audit/2008-January/msg00015.html).

Changed in audit:
importance: Undecided → Medium
status: New → Triaged
Mathias Gug (mathiaz) wrote :

As mentioned in this post, https://www.redhat.com/archives/linux-audit/2008-January/msg00029.html, the above solution fixed this bug. Thus marking this bug Invalid for the audit package.

Changed in audit:
status: Triaged → Invalid

As recently discovered, the Ubuntu kernel, as supplied, makes it impossible to use the auditd package. So, Mathais Gug marked this auditd bug as invalid, since the auditd package is really not responsible for the problems we encountered.

However, there is still a bug within the entire Ubuntu system, as auditing will not work with the supplied system (current Kernel + auditd package).

So is it now appropriate to mark this as a bug in the kernel configuration? Is that next step in Ubuntu civic duty?

Reassigning to the kernel team.

Changed in linux:
assignee: nobody → ubuntu-kernel-team
importance: Undecided → Medium
status: New → Triaged
Changed in linux:
assignee: ubuntu-kernel-team → stefan-bader-canonical
status: Triaged → In Progress
Stefan Bader (smb) wrote :

Fix commited as 9aac2d6a3553fc4581d69ce6337865847eddde57.

Changed in linux:
status: In Progress → Fix Committed
Tim Gardner (timg-tpi) wrote :

Should this config option also be set in the -rt and -lpia flavours? I think it makes sense for -rt at least.

Stefan Bader (smb) wrote :

Coonfig option has been enabled for those custom builds, too.

Launchpad Janitor (janitor) wrote :
Download full text (20.1 KiB)

This bug was fixed in the package linux - 2.6.24-5.8

---------------
linux (2.6.24-5.8) hardy; urgency=low

  [Alessio Igor Bogani]

  * rt: Update to 2.6.24-rc8-rt1
  * rt: Update configuration files

  [Amit Kucheria]

  * Asix: fix breakage caused in 2.6.24-rc7
  * Add CONFIG_CPUSETS to server-related flavours
    - LP: #182434

  [Chuck Short]

  * SAUCE: ata: blacklist FUJITSU MHW2160BH PL
    - LP: #175834

  [Kees Cook]

  * AppArmor: updated patch series to upstream SVN 1079.

  [Soren Hansen]

  * Updated configs to enable virtio stuff Ignore: yes

  [Stefan Bader]

  * Enabled CONFIG_BSD_PROCESS_ACCT=y for sparc.
    - LP: #176587
  * Enable CONFIG_AUDITSYSCALL=y.
    - LP: #140784
  * Added CONFIG_AUDIT_SYSCALL=y to custom lpia(compat)
  * Enabled CONFIG_HUGETLBFS=y for i386/server amd64/server and ia64.
  * Lower priority of pnpacpi resource messages to warning level.
    - LP: #159241
  * Fix the messed up message level of pnpacpi parser.

  [Tim Gardner]

  * Start new release, bump ABI to -5
  * Disabled iwlwifi preperatory to moving it to l-u-m.
  * Enabled CONFIG_USB_SERIAL_KEYSPAN
  * Disabled CONFIG_CGROUPS.
  * Virtio config settings for -rt.
  * Re-enable IWLWIFI in the kernel.
  * Fixed -rt saa7134-core.c FTBS

  [Upstream Kernel Changes]

  * Input: Handle EV_PWR type of input caps in input_set_capability.
  * Input: jornada680_kbd - fix default keymap
  * increase PNP_MAX_PORT to 40 from 24
  * sched: fix gcc warnings
  * leds: Fix leds_list_lock locking issues
  * leds: Fix locomo LED driver oops
  * x86: fix asm-x86/byteorder.h for userspace export
  * x86: fix asm-x86/msr.h for user-space export
  * ACPI: EC: Enable boot EC before bus_scan
  * ACPI: Make sysfs interface in ACPI power optional.
  * fix lguest rmmod "bad pgd"
  * slub: provide /proc/slabinfo
  * [POWERPC] Fix build failure on Cell when CONFIG_SPU_FS=y
  * slub: register slabinfo to procfs
  * [SCSI] scsi_sysfs: restore prep_fn when ULD is removed
  * Unify /proc/slabinfo configuration
  * scsi: revert "[SCSI] Get rid of scsi_cmnd->done"
  * restrict reading from /proc/<pid>/maps to those who share ->mm or can
    ptrace pid
  * Fix kernel/ptrace.c compile problem (missing "may_attach()")
  * hwmon: (w83627ehf) Be more careful when changing VID input level
  * NFS: Fix a possible Oops in fs/nfs/super.c
  * NFSv4: Fix circular locking dependency in nfs4_kill_renewd
  * NFS: add newline to kernel warning message in auth_gss code
  * NFSv4: nfs4_open_confirm must not set the open_owner as confirmed on
    error
  * NFSv4: Fix open_to_lock_owner sequenceid allocation...
  * gameport: don't export functions that are static inline
  * Input: spitzkbd - fix suspend key handling
  * Input: pass EV_PWR events to event handlers
  * [ARM] 4735/1: Unbreak pxa25x suspend/resume
  * IB/srp: Fix list corruption/oops on module reload
  * Console is utf-8 by default
  * [IA64] Update Altix BTE error return status patch
  * [IA64] Update Altix nofault code
  * [X25]: Add missing x25_neigh_put
  * [XFRM]: Do not define km_migrate() if !CONFIG_XFRM_MIGRATE
  * [CASSINI]: Fix endianness bug.
  * [CASSINI]: Revert 'dont touch page_count'.
  * [CASSINI]: Program parent Inte...

Changed in linux:
status: Fix Committed → Fix Released
Changed in audit (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.