Ubuntu
audit package

Bug #2020838
Activity log

Activity log for bug #2020838

Date	Who	What changed	Old value	New value	Message
2023-05-26 04:06:42	Chuan Li	bug			added bug
2023-05-26 04:07:15	Chuan Li	tags		sts
2023-05-26 04:41:04	Chuan Li	description	The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged' can not be loaded during system boot up. # lsb_release -rc Release: 22.04 Codename: jammy # dpkg -l\|grep audit ii auditd 1:3.0.7-1build1 amd64 User space tools for security auditing ii libaudit-common 1:3.0.7-1build1 all Dynamic library for security auditing - common files ii libaudit1:amd64 1:3.0.7-1build1 amd64 Dynamic library for security auditing ii libauparse0:amd64 1:3.0.7-1build1 amd64 Dynamic library for parsing security auditing # cat /etc/audit/rules.d/audit.rules\|grep -v ^#\|grep -v ^$ -D -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -b 8192 --backlog_wait_time 60000 -f 1 # >/etc/audit/audit.rules reboot the system, no rule can be loaded # auditctl -l No rules syslog: May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule data request (No such file or directory) May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in line 5 of /etc/audit/audit.rules May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0 # cat /etc/audit/audit.rules ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts --backlog_wait_time 60000 But I can manually load the rule file. Seems this issue only happen during system boot up. # auditctl -R /etc/audit/audit.rules No rules enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 4 backlog_wait_time 15000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 4 backlog_wait_time 15000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 14 backlog_wait_time 60000 backlog_wait_time_actual 0 # auditctl -l -a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh /usr/bin/test.sh, then I can not reproduce the issue. Additionally, I have ruled out AppArmor as a factor. I have already disabled the AppArmor service and append "apparmor=0" into the kernel command line before rebooting. Moreover, I can NOT reproduce this issue on Focal(1:2.8.5-2ubuntu6) There are 2 issues here, I think 1) If the rules can be loaded manually, why can't they be loaded automatically at system startup? 2) When loading a particular rule fails, why are the subsequent rules skipped?	The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged' can not be loaded during system boot up. # lsb_release -rc Release: 22.04 Codename: jammy # dpkg -l\|grep audit ii auditd 1:3.0.7-1build1 amd64 User space tools for security auditing ii libaudit-common 1:3.0.7-1build1 all Dynamic library for security auditing - common files ii libaudit1:amd64 1:3.0.7-1build1 amd64 Dynamic library for security auditing ii libauparse0:amd64 1:3.0.7-1build1 amd64 Dynamic library for parsing security auditing # cat /etc/audit/rules.d/audit.rules\|grep -v ^#\|grep -v ^$ -D -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -b 8192 --backlog_wait_time 60000 -f 1 # ls -l /home/ubuntu/test.sh -rwxr-xr-x 1 root ubuntu 19 May 25 14:19 /home/ubuntu/test.sh # cat /home/ubuntu/test.sh #!/bin/bash echo 1 # >/etc/audit/audit.rules reboot the system, no rule can be loaded # auditctl -l No rules syslog: May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule data request (No such file or directory) May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in line 5 of /etc/audit/audit.rules May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0 # cat /etc/audit/audit.rules ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts --backlog_wait_time 60000 But I can manually load the rule file. Seems this issue only happen during system boot up. # auditctl -R /etc/audit/audit.rules No rules enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 4 backlog_wait_time 15000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 4 backlog_wait_time 15000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 14 backlog_wait_time 60000 backlog_wait_time_actual 0 # auditctl -l -a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh /usr/bin/test.sh, then I can not reproduce the issue. Additionally, I have ruled out AppArmor as a factor. I have already disabled the AppArmor service and append "apparmor=0" into the kernel command line before rebooting. Moreover, I can NOT reproduce this issue on Focal(1:2.8.5-2ubuntu6) There are 2 issues here, I think 1) If the rules can be loaded manually, why can't they be loaded automatically at system startup? 2) When loading a particular rule fails, why are the subsequent rules skipped?

Ubuntuaudit package

Activity log for bug #2020838

Ubuntu
audit package