Bug 1076613 - audit error message
audit error message
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
armv7 Other
: P2 - High : Normal (vote)
: ---
Assigned To: Enzo Matsumiya
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-18 15:30 UTC by Freek de Kruijf
Modified: 2021-04-09 20:27 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
ematsumiya: needinfo? (freek)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Freek de Kruijf 2018-01-18 15:30:02 UTC
journalctl -b shows an error for some audit process.
The error message is:
augenrules[334]: Error sending add rule data request (Invalid argument)
augenrules[334]: There was an error in line 5 of /etc/audit/audit.rules
augenrules[334]: No rules

The mentioned file /etc/audit/audit.rules shows:

--------------- start ------------
## This file is automatically generated from /etc/audit/rules.d
-D

-a task,never

----------------- end -------------------------

This folder only contains /etc/audit/rules.d/audit.rules which shows:

--------------- start ------------
## This set of rules is to suppress the performance effects of the
## audit system. The result is that you only get hardwired events.
-D

## This suppresses syscall auditing for all tasks started
## with this rule in effect.  Remove it if you need syscall
## auditing.
-a task,never

----------------- end -------------------------

Does not seem to have an ill effect on the system.
Comment 1 Tony Jones 2018-01-22 20:29:52 UTC
Sorry, meant to update this last week.

This is what I see on my uptodate Tumbleweed system

# journalctl -b | grep augen
Jan 22 12:12:59 svr2 augenrules[757]: /sbin/augenrules: No change
Jan 22 12:12:59 svr2 augenrules[757]: No rules

1.  What does 'auditctl -s' show after boot.
2.  What does 'auditctl -l' show after boot.
3.  What is your kernel command line ("cat /proc/cmdline")
4.  What happens if you manually try 'auditctl -a task,never' (as root)
5.  What is the output of 'systemctl status auditd'?
6.  What is the contents of the service file from step 5 (/usr/lib/systemd/system/auditd.service on my system).

Thanks!
Comment 2 Freek de Kruijf 2018-01-22 20:56:52 UTC
This on a Raspberry Pi 2 with openSUSE Tumbleweed
# more /etc/os-release 
NAME="openSUSE Tumbleweed"
# VERSION="20180116 "
ID=opensuse
ID_LIKE="suse"
VERSION_ID="20180116"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20180116"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"

# journalctl -b | grep augen
jan 22 17:28:56 rpi2tumhon augenrules[423]: /sbin/augenrules: No change
jan 22 17:28:56 rpi2tumhon augenrules[423]: Error sending add rule data request (Invalid argument)
jan 22 17:28:56 rpi2tumhon augenrules[423]: There was an error in line 5 of /etc/audit/audit.rules
jan 22 17:28:56 rpi2tumhon augenrules[423]: No rules

# auditctl -s
enabled 1
failure 1
pid 419
rate_limit 0
backlog_limit 64
lost 0
backlog 0
backlog_wait_time 12000
loginuid_immutable 0 unlocked

# auditctl -l
No rules

# more /usr/lib/systemd/system/auditd.service
[Unit]
Description=Security Auditing Service
DefaultDependencies=no
## If auditd.conf has tcp_listen_port enabled, copy this file to
## /etc/systemd/system/auditd.service and add network-online.target
## to the next line so it waits for the network to start before launching.
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
ConditionKernelCommandLine=!audit=0
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation

[Service]
Type=forking
PIDFile=/var/run/auditd.pid
ExecStart=/sbin/auditd
## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
## and comment/delete the next line and uncomment the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
ExecReload=/bin/kill -HUP $MAINPID
# By default we don't clear the rules on exit. To enable this, uncomment
# the next line after copying the file to /etc/systemd/system/auditd.service
#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules

[Install]
WantedBy=multi-user.target
Comment 3 Tony Jones 2018-01-22 21:23:02 UTC
Once booted, as you able to manually send rules to the audit system
Step #4 from my previous reply.
Comment 4 Tony Jones 2018-01-22 21:26:05 UTC
(In reply to Tony Jones from comment #3)
> Once booted, as you able to manually send rules to the audit system
> Step #4 from my previous reply.

typo "are you able to"

also please set hw type appropriately in future bugs and also probably specifically state it's RPi in description.
Comment 5 Freek de Kruijf 2018-01-22 21:31:44 UTC
rpi2tumhon:~ # auditctl -a task,never
Error sending add rule data request (Invalid argument)
rpi2tumhon:~ # systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-01-22 17:28:56 CET; 4h 59min ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 423 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
  Process: 416 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 419 (auditd)
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/auditd.service
           └─419 /sbin/auditd

jan 16 11:23:00 rpi2tumhon systemd[1]: Starting Security Auditing Service...
jan 16 11:23:00 rpi2tumhon auditd[419]: Started dispatcher: /sbin/audispd pid: 421
jan 16 11:23:00 rpi2tumhon auditd[419]: Init complete, auditd 2.8.1 listening for events (startup state enable)
jan 16 11:23:00 rpi2tumhon audispd[421]: No plugins found, exiting
jan 16 11:23:00 rpi2tumhon auditd[419]: dispatcher 421 reaped
jan 22 17:28:56 rpi2tumhon augenrules[423]: /sbin/augenrules: No change
jan 22 17:28:56 rpi2tumhon augenrules[423]: Error sending add rule data request (Invalid argument)
jan 22 17:28:56 rpi2tumhon augenrules[423]: There was an error in line 5 of /etc/audit/audit.rules
jan 22 17:28:56 rpi2tumhon augenrules[423]: No rules
jan 22 17:28:56 rpi2tumhon systemd[1]: Started Security Auditing Service.
Comment 6 Tony Jones 2018-01-22 22:05:13 UTC
(In reply to Freek de Kruijf from comment #5)
> rpi2tumhon:~ # auditctl -a task,never
> Error sending add rule data request (Invalid argument)

Interesting, for some reason the kernel is rejecting the rule load.
Comment 7 Tony Jones 2018-02-16 20:33:14 UTC
Waiting for Alex to fix kernel hang so I can verify on ARM v7 vm (I don't have RPi2)
Comment 8 Tony Jones 2018-08-02 20:36:42 UTC
Reassigned to Alex.  When he can come up with reliable way to verify under emulation, he can reassign back to me.

In the meantime, reporter, is the issue still occuring?
Comment 9 Freek de Kruijf 2018-08-02 21:44:17 UTC
(In reply to Tony Jones from comment #8)
> Reassigned to Alex.  When he can come up with reliable way to verify under
> emulation, he can reassign back to me.
> 
> In the meantime, reporter, is the issue still occuring?

Yes.

# more /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20180622"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20180622"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20180622"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"

# auditctl -a task,never
Error sending add rule data request (Invalid argument)

# uname -a
Linux rpi2tumhon 4.17.1-1-lpae #1 SMP PREEMPT Thu Jun 14 06:39:01 UTC 2018 (df028bb) armv7l armv7l armv7l GNU/Linux
Comment 10 Enzo Matsumiya 2021-01-04 21:28:49 UTC
Is this still reproducible with the latest audit package in openSUSE?

aarch64 build was specifically enabled only in the latest release.
Comment 11 Enzo Matsumiya 2021-04-09 20:27:15 UTC
This is supposed to be fixed in the latest releases of audit.

I'm closing this one because other similar issues have been reported to be fixed by that release. Please reopen if you experience this bug again.