[regression][jammy] augenrules Error sending add rule data request (No such file or directory)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
audit (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The rule '-a always,exit -F path=/home/
# lsb_release -rc
Release: 22.04
Codename: jammy
# dpkg -l|grep audit
ii auditd 1:3.0.7-1build1 amd64 User space tools for security auditing
ii libaudit-common 1:3.0.7-1build1 all Dynamic library for security auditing - common files
ii libaudit1:amd64 1:3.0.7-1build1 amd64 Dynamic library for security auditing
ii libauparse0:amd64 1:3.0.7-1build1 amd64 Dynamic library for parsing security auditing
# cat /etc/audit/
-D
-a always,exit -F path=/home/
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
-b 8192
--backlog_wait_time 60000
-f 1
# ls -l /home/ubuntu/
-rwxr-xr-x 1 root ubuntu 19 May 25 14:19 /home/ubuntu/
# cat /home/ubuntu/
#!/bin/bash
echo 1
# >/etc/audit/
reboot the system, no rule can be loaded
# auditctl -l
No rules
syslog:
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule data request (No such file or directory)
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in line 5 of /etc/audit/
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_
# cat /etc/audit/
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-a always,exit -F path=/home/
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
--backlog_wait_time 60000
But I can manually load the rule file. Seems this issue only happen during system boot up.
# auditctl -R /etc/audit/
No rules
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 4
backlog_wait_time 15000
backlog_
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 4
backlog_wait_time 15000
backlog_
enabled 1
failure 1
pid 476
rate_limit 0
backlog_limit 8192
lost 0
backlog 14
backlog_wait_time 60000
backlog_
# auditctl -l
-a always,exit -S all -F path=/home/
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts
If I move the file /home/ubuntu/
Additionally, I have ruled out AppArmor as a factor. I have already disabled the AppArmor service and append "apparmor=0" into the kernel command line before rebooting.
Moreover, I can NOT reproduce this issue on Focal(1:
There are 2 issues here, I think
1) If the rules can be loaded manually, why can't they be loaded automatically at system startup?
2) When loading a particular rule fails, why are the subsequent rules skipped?
Hello, my guess is /home or /home/ubuntu may not exist when the audit rules are loaded.
The file and directory watches work by setting up inotify watches on the underlying objects, and if the file or directory doesn't exist, there's nothing to watch. So, it errors.
You can add -i to the configuration file to have it continue onwards despite the error:
-i When given by itself, ignore errors when reading rules
success exit code. If passed as an argument to -s then
readable words if possible.
from a file. This causes auditctl to always return a
it gives an interpretation of the numbers to human
I'm not sure what to suggest for actually working around the problem, though. Reloading the rules some point after booting, once all the filesystems are mounted, would make sense, but I'm not sure how to ask systemd to do that.
Thanks