Better error message in auditd wanted

Steve Grubb sgrubb at redhat.com
Thu May 26 14:54:43 UTC 2016 

Hello,

On Thursday, May 26, 2016 03:03:11 PM Christian Boltz wrote:
> I'd like to ask for a more useful error message in auditd ;-)
> 
> If audit.log is world-readable (chmod 644 [1]), auditd refuses to start.
> 
> The problem is that it gives a completely useless error message when
> doing that:
> 
> # systemctl status auditd.service
> ● auditd.service - Security Auditing Service
>    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor
> preset: enabled) Active: failed (Result: exit-code) since Sa 2016-05-21
> 12:43:55 CEST; 4min 14s ago Process: 8656 ExecStartPost=/sbin/augenrules
> --load (code=exited, status=0/SUCCESS) Process: 8654 ExecStart=/sbin/auditd
> -n (code=exited, status=6)
>  Main PID: 8654 (code=exited, status=6)
> 
> Mai 21 12:43:55 tux systemd[1]: Starting Security Auditing Service...
> Mai 21 12:43:55 tux systemd[1]: auditd.service: Main process exited,
> code=exited, status=6/NOTCONFIGURED Mai 21 12:43:55 tux augenrules[8656]:
> /sbin/augenrules: No change
> Mai 21 12:43:55 tux augenrules[8656]: No rules
> Mai 21 12:43:55 tux systemd[1]: Failed to start Security Auditing Service.
> Mai 21 12:43:55 tux systemd[1]: auditd.service: Unit entered failed state.
> Mai 21 12:43:55 tux systemd[1]: auditd.service: Failed with result
> 'exit-code'.
> 
> 
> Exit status 6/NOTCONFIGURED is not really helpful and not even a
> correct) information :-(
> 
> After searching around, reading the manpage etc. I tried to start auditd
> manually in debug mode:
> 
> 
> # auditd -f
> Config file /etc/audit/auditd.conf opened for parsing log_file_parser called
> with: /var/log/audit/audit.log /var/log/audit/audit.log permissions should
> be 0600 or 0640
> The audit daemon is exiting.
> 
> 
> Now _that_ is a useful message and clearly states what the problem is.
> 
> Can you please change auditd so that it prints or logs this useful
> message independent of the given parameters?

This is the code you are talking about:
https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L618
 
It is LOG_ERR, so it should be captured by syslog. Not sure what else can be 
done.

-Steve


> In case it matters: I'm using openSUSE Tumbleweed with audit 2.5.
> 
> 
> Regards,
> 
> Christian Boltz
> 
> [1] I did that chmod to make testing of aa-logprof (part of the AppArmor
>     userspace tools) easier.
> 
> > I see no "do" in your script, so this will give you a "syntax error
> > near unexpected token `done'" after shutdown ;-))
> 
> I've been hearing funny noises after shutdown, that must be it :-)
> [> Christian Boltz and Chris Maaskant in opensuse]
> 
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list