Auditd failed when changing the Rsyslog configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
audit (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I found that when changing the Rsyslog configuration (/etc/rsyslog.
ExecStartPost=
.................
There was an error in line 6 of /etc/audit/
Other sign:
----------------
# systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/
Active: active (running) since Fri 2020-03-13 17:49:55 MSK; 12min ago
Docs: man:auditd(8)
https:/
Process: 985 ExecStartPost=
Process: 883 ExecStart=
Main PID: 928 (auditd)
Tasks: 4 (limit: 4915)
CGroup: /system.
├─928 /sbin/auditd
└─932 /sbin/audispd
The problem was confirmed on two modern physical Linux Ubuntu servers with all the latest system updates.
Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-88-generic x86_64)
-------
auditd/bionic,now 1:2.8.2-1ubuntu1 amd64 [installed]
libaudit-
libaudit1/
+
rsyslog/bionic,now 8.32.0-1ubuntu4 amd64 [installed,
The first time I found a problem trying to reconfigure Auditd logging according to the recommendations:
https:/
When I found the problem, I checked its causes on the Rsyslog side on another server.
It is confirmed that it is not associated with changes in the configuration of Auditd.
Example of replication:
-------
1. Edit /etc/rsyslog.
Insert strings for new log facility:
*.*;auth,
###
###*.*;
local6.* /var/log/
2. # systemctl restart rsyslog
3. # systemctl restart auditd
4. # systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/
Active: active (running) since Fri 2020-03-13 18:12:32 MSK; 6s ago
Docs: man:auditd(8)
https:/
Process: 3211 ExecStartPost=
Process: 3183 ExecStart=
Main PID: 3186 (auditd)
Tasks: 4 (limit: 4915)
CGroup: /system.
├─3186 /sbin/auditd
└─3190 /sbin/audispd
Mar 13 18:12:32 uk1 augenrules[3211]: failure 1
Mar 13 18:12:32 uk1 augenrules[3211]: pid 3186
Mar 13 18:12:32 uk1 augenrules[3211]: rate_limit 0
Mar 13 18:12:32 uk1 augenrules[3211]: backlog_limit 8192
Mar 13 18:12:32 uk1 augenrules[3211]: lost 0
Mar 13 18:12:32 uk1 augenrules[3211]: backlog 0
Mar 13 18:12:32 uk1 augenrules[3211]: backlog_wait_time 0
Mar 13 18:12:32 uk1 systemd[1]: Started Security Auditing Service.
Mar 13 18:12:32 uk1 auditctl[3225]: There was an error in line 6 of /etc/audit/
Mar 13 18:12:32 uk1 audispd[3190]: node=uk1 type=SERVICE_START msg=audit(
But the main problem is that this failure cannot be fixed by deleting changes from the Rsyslog configuration file.
It remains even after restarting the server!
I have attached snippets of the system log.
The first part corresponds to restarting the system after rolling back Rsyslog changes.
The second part corresponds to the processes after the Auditd restart.
In General, it looks like Auditd is working normally. Logs show its working status.
But in the system status auditd is issued:
ExecStartPost=
And this cannot be eliminated.
After many experiments, I discovered an inconspicuous syntax error in audit.rules
Here are two seemingly identical lines:
-a exit,always -F arch=b64 -F euid=0 -S execve –k root_actions
-a exit,always -F arch=b64 -F euid=0 -S execve -k root_actions
Their only difference is that in the first line (copy-pasted from another source), the dash before "–k" is not the standard dash character, although it appears exactly the same in the console. audit.rules" was eliminated.
When changing to a standard dash, the mentioned error is "error in line 6 of /etc/audit/
I absolutely don`t understand the role of Rsyslog configuration changes in this. But paradoxically, this error in the dash character only manifests itself in this case. Before that, a string with a non-standard dash in audit.rules was accepted by auditd without problems on both my servers.