Random auditd start failures on Ubuntu 20.04 EC2 AMIs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
audit (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Description: Ubuntu 20.04.5 LTS
Release: 20.04
linux-image-aws 5.15.0.
auditd 1:2.8.5-2ubuntu6
I am having issues with auditd on Ubuntu 20.04 LTS Ubuntu official AMIs. I have tested this with published AMIs ami-0123376e204
I am following a process that has worked up to June 20 2022. The process installs and configures the audit package for CIS hardening. The process steps are:
• Launch an instance as a base, I’ve used ami-0123376e204
• Installed the packages listed below.
• Copied the “auditdconf” contents as /etc/audit/
• Copied the “auditrules” contents as /etc/audit/
• Edit /etc/default/grub, and set: GRUB_CMDLINE_
• Run: grub-mkconfig > /boot/grub/grub.cfg
• Stopped the instance, and created an AMI.
I then launch 10 or 14 instances of this AMI in us-west-2. Most will come up with auditd service running, and all rules loaded. Usually at least two come up broken for unknown reason, with the auditd service reporting an error I cannot understand:
● auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/
Active: failed (Result: exit-code) since Wed 2022-09-14 15:08:14 UTC; 22min ago
Docs: man:auditd(8)
https:/
Process: 357 ExecStart=
Sep 14 15:08:14 ip-10-210-197-90 systemd[1]: Starting Security Auditing Service...
Sep 14 15:08:14 ip-10-210-197-90 auditd[382]: Error receiving audit netlink packet (No buffer space available)
Sep 14 15:08:14 ip-10-210-197-90 auditd[382]: Error setting audit daemon pid (No buffer space available)
Sep 14 15:08:14 ip-10-210-197-90 auditd[382]: Unable to set audit pid, exiting
Sep 14 15:08:14 ip-10-210-197-90 auditd[357]: Cannot daemonize (Success)
Sep 14 15:08:14 ip-10-210-197-90 auditd[357]: The audit daemon is exiting.
Sep 14 15:08:14 ip-10-210-197-90 auditd[382]: The audit daemon is exiting.
Sep 14 15:08:14 ip-10-210-197-90 systemd[1]: auditd.service: Control process exited, code=exited, status=1/FAILURE
Sep 14 15:08:14 ip-10-210-197-90 systemd[1]: auditd.service: Failed with result 'exit-code'.
Sep 14 15:08:14 ip-10-210-197-90 systemd[1]: Failed to start Security Auditing Service.
When I launch the above, it is a launch of 10 or so instances from the same AMI, with the same parameters. Matter of fact, the launch is done by requesting X number of instances during the EC2 instance launch
I've been trying to solve this for some time, and I've found the only way I can make the instances always start correctly is to remove the kernel "audit_
See attachments for the above mentioned files.
Thanks.
-Alan
expected behavior is:
* service loaded and active
* "auditctl -l" shows list of loaded rules
seen behavior:
* service dead with errors shown above.
* "auditctl -l" reports "No rules".
description: | updated |
Found that I can limit the package install to just:
apt install auditd audispd-plugins -y
with the changes to audit.rules and auditd.conf, and the /etc/default/grub file.
I get random launch failures with the service failure and "no rules".