Problem running auditd on Raspberry Pi (fedora-server-24)

C.y cyng93 at gmail.com
Wed Oct 5 10:06:08 UTC 2016 

On Tue, Oct 4, 2016 at 11:10 PM, Steve Grubb <sgrubb at redhat.com> wrote:

> On Tuesday, October 4, 2016 11:35:46 AM EDT C.y wrote:
> > On Tue, Oct 4, 2016 at 4:06 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> > > On Sunday, October 2, 2016 11:00:16 AM EDT C.y wrote:
> > > > On Sun, Oct 2, 2016 at 12:20 AM, Steve Grubb <sgrubb at redhat.com>
> wrote:
> > > > > On Saturday, October 1, 2016 5:47:47 PM EDT C.y wrote:
> > > > > > Hi all,
> > > > > >
> > > > > >
> > > > > > I have fedora-server-24 installed on my raspberry-pi-3, following
> > > > > > the
> > > > > > guide https://fedoraproject.org/wiki/Raspberry_Pi.
> > > > > >
> > > > > > Once I get my raspberry pi boot up, there were error mentioning
> that
> > > > > > "audit not support not in kernel", which I believed were then
> > >
> > > resolved after I
> > >
> > > > > > rebuild my kernel.
> > > > > >
> > > > > > However, I got stuck when I tried to add rule using `auditctl`
> > >
> > > command
> > >
> > > > > > as below:
> > > > > > `# auditctl -w /etc/passwd -p wa -k passwd_changes`
> > > > > > Error sending add rule data request (Invalid argument)
> > > > >
> > > > > Hmm. I wonder if 'ausyscall open' gives you syscalls.
> > > >
> > > > `# ausyscall open` returns as below. So I suppose the answer is
> > > > yes?(correct me if I'm wrong)
> > > > open               5
> > > > mq_open            274
> > > > openat             322
> > > > perf_event_open    364
> > > > open_by_handle_at  371
> > >
> > > This means user space is doing the right thing. I am thinking this
> sounds
> > > like a kernel issue.
> > >
> > > Have you tried a few other simple commands?
> > >
> > > auditctl -e 1
> > > auditctl -s
> > > auditctl -always,exit -F arch=b64 -S open
> > >
> > > -Steve
> >
> > `# auditctl -e 1` returns:
> > enabled 1
> > failure 1
> > pid 293
> > rate_limit 0
> > backlog_limit 64
> > lost 11
> > backlog 0
> > backlog_wait_time 6000
> >
> > `# auditctl -s` returns:
> > enabled 1
> > failure 1
> > pid 293
> > rate_limit 0
> > backlog_limit 64
> > lost 11
> > backlog 0
> > backlog_wait_time 6000
>
> OK. So, this sounds like it can communicate with the kernel and part of the
> audit system is compiled in.
>
> > `# auditctl -a always,exit -F arch=b64 -S open` returns:
> > arch elf mapping not found
>
> OK. Maybe its not 64 bit.
>
> > `# auditctl -a always,exit -S open` returns:
> > Error sending add rule data request (Invalid argument)
>
> If it were 32 bit, then the above would have selected -F arch=b32
> automatically. The error message means the kernel rejected a field in the
> audit
> rule. Which field, I don't know.


It turns out that all these problem occurs because I missed out including
some of the config when building the kernel.

auditd works well on kernel compiled with `CONFIG_AUDITSYSCALL = y`.
p/s: option AUDITSYSCALL wasn't presented defaultly on raspi due to lacking
dependency of `! OABI_COMPAT`,
which its discussion can be found at
https://github.com/raspberrypi/firmware/issues/652

Thanks for spending time on my issues!


> > I also noticed that auditd is having difficulty in parsing
> > `/etc/auditd/auditd.rules`
> > on the booting stage,
> > `# journalctl -u auditd.service --this-boot` returns:
> > -- Logs begin at Fri 2016-02-12 00:28:01 CST, end at Tue 2016-10-04
> > 10:53:05 CST. --
> > Feb 12 00:28:06 raspi3.lab systemd[1]: Starting Security Auditing
> Service...
> > Feb 12 00:28:06 raspi3.lab auditd[287]: Started dispatcher: /sbin/audispd
> > pid: 301
> > Feb 12 00:28:06 raspi3.lab audispd[301]: priority_boost_parser called
> with:
> > 4
> > Feb 12 00:28:06 raspi3.lab augenrules[288]: /sbin/augenrules: No change
> > Feb 12 00:28:06 raspi3.lab audispd[301]: max_restarts_parser called
> with: 10
> > Feb 12 00:28:06 raspi3.lab augenrules[288]: Error sending add rule data
> > request (Invalid argument)
> > Feb 12 00:28:06 raspi3.lab augenrules[288]: There was an error in line 5
> of
> > /etc/audit/audit.rules
>
> I believe this is just saying that the rule in line 5 was rejected by the
> kernel. This is systemd induced. The Error sending rule message went to
> stderr, auditctl also logs to syslog that it had a problem. Systemd grabs
> both
> and logs them. So, this is really 2 messages for the same thing. Its not a
> parsing problem per se.
>
> -Steve
>
> > Feb 12 00:28:06 raspi3.lab augenrules[288]: No rules
> > Feb 12 00:28:06 raspi3.lab systemd[1]: Started Security Auditing Service.
> > Feb 12 00:28:06 raspi3.lab auditd[287]: Init complete, auditd 2.5.2
> > listening for events (startup state
> >
> > while `# cat /etc/audit/rules.d` returns:
> > -----
> > ## This file is automatically generated from /etc/audit/rules.d
> > -D
> >
> >
> > -a task,never
> > -----
> >
> > p/s: On the log above, RaspberryPi is showing the wrong time due to a
> > reboot,
> > the time will be corrected once the chronyd start functioning.
> >
> >
> > Regards,
> > CHING YI.
> >
> > > > > > I tried to search for solution but it lead me to a bug that were
> > >
> > > already
> > >
> > > > > > been solved like years ago. Can anyone tell me if I am in the
> right
> > >
> > > way
> > >
> > > > > > of getting auditd works on raspberry pi? Were the problem I've
> faced
> > >
> > > were
> > >
> > > > > > already a known issue?
> > > > > >
> > > > > > Below are my system information and some logs/details when I
> tried
> > > > > > to
> > > > > > diagnosis the problem and thanks a lot for your help in advance!
> > > > > >
> > > > > > `# uname -a`
> > > > > > Linux raspi3.lab 4.4.23-v7+ #2 SMP Sat Oct 1 15:24:41 CST 2016
> > > > > > armv7l
> > > > > > armv7l armv7l GNU/Linux
> > > > >
> > > > > I also wonder if we have a mismatch here. Is that armv seventy one
> or
> > >
> > > armv
> > >
> > > > > seven-el? Its coded in audit as seventy one.
> > > >
> > > > It's 7-el.
> > > > `# uname -a | grep 7l` (7-el) returns
> > > > Linux raspi3.lab 4.4.23-v7+ #2 SMP Sat Oct 1 15:24:41 CST 2016 armv7l
> > > > armv7l armv7l GNU/Linux
> > > >
> > > >
> > > > Sincerly,
> > > > CHING YI.
> > > >
> > > > > -Steve
> > > > >
> > > > > > `# modprobe configs ; gunzip -dc /proc/config.gz | grep AUDIT`
> > > > > > CONFIG_AUDIT=y
> > > > > > CONFIG_NETFILTER_XT_TARGET_AUDIT=m
> > > > > > CONFIG_AUDIT_GENERIC=y
> > > > > > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
> > > > > >
> > > > > > `# systemctl status auditd.service`
> > > > > > ● auditd.service - Security Auditing Service
> > > > > >
> > > > > >    Loaded: loaded (/usr/lib/systemd/system/auditd.service;
> enabled;
> > > > > >
> > > > > > vendor preset: enabled)
> > > > > >
> > > > > >    Active: active (running) since Fri 2016-02-12 00:28:07 CST; 7
> > >
> > > months
> > >
> > > > > > 19 days ago
> > > > > >
> > > > > >   Process: 1553 ExecReload=/bin/kill -HUP $MAINPID (code=exited,
> > > > > >
> > > > > > status=0/SUCCESS)
> > > > > >
> > > > > >   Process: 279 ExecStartPost=/sbin/augenrules --load
> (code=exited,
> > > > > >
> > > > > > status=1/FAILURE)
> > > > > > Main PID: 278 (auditd)
> > > > > >
> > > > > >    CGroup: /system.slice/auditd.service
> > > > > >
> > > > > >            └─278 /sbin/auditd -n
> > > > > >
> > > > > > Oct 01 16:36:53 raspi3.lab auditd[278]:
> audit(1475311013.356:8458)
> > > > > > op=reconfigure state=changed auid=4294967295 pid=-1 subj=?
> > >
> > > res=success
> > >
> > > > > > Oct 01 16:36:53 raspi3.lab systemd[1]: Reloaded Security Auditing
> > > > > > Service.
> > > > > > Oct 01 16:37:28 raspi3.lab systemd[1]: Reloading Security
> Auditing
> > > > > > Service.
> > > > > > Oct 01 16:37:28 raspi3.lab auditd[278]: config change requested
> by
> > > > > > pid=-1
> > > > > > auid=4294967295 subj=?
> > > > > > Oct 01 16:37:28 raspi3.lab auditd[278]: audit(1475311048.046:257)
> > > > > > op=reconfigure state=changed auid=4294967295 pid=-1 subj=?
> > >
> > > res=success
> > >
> > > > > > Oct 01 16:37:28 raspi3.lab systemd[1]: Reloaded Security Auditing
> > > > > > Service.
> > > > > > Oct 01 16:38:18 raspi3.lab systemd[1]: Reloading Security
> Auditing
> > > > > > Service.
> > > > > > Oct 01 16:38:18 raspi3.lab auditd[278]: config change requested
> by
> > > > > > pid=-1
> > > > > > auid=4294967295 subj=?
> > > > > > Oct 01 16:38:18 raspi3.lab auditd[278]:
> audit(1475311098.716:2108)
> > > > > > op=reconfigure state=changed auid=4294967295 pid=-1 subj=?
> > >
> > > res=success
> > >
> > > > > > Oct 01 16:38:18 raspi3.lab systemd[1]: Reloaded Security Auditing
> > > > > > Service.
> > > > > >
> > > > > > While my `/var/log/audit/audit.log` was full with lines of
> > > > > > "SERVICE_START" & "SERVICE_STOP":
> > > > > > type=SERVICE_START msg=audit(1475313700.696:276): pid=1 uid=0
> > > > > > auid=4294967295 ses=4294967295 msg='unit=NetworkManager-
> dispatcher
> > > > > > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> > > > > > terminal=? res=success'
> > > > > > type=SERVICE_STOP msg=audit(1475313710.836:277): pid=1 uid=0
> > > > > > auid=4294967295 ses=4294967295 msg='unit=NetworkManager-
> dispatcher
> > > > > > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
> > > > > > terminal=? res=success'
> > > > > >
> > > > > >
> > > > > > Sincerly,
> > > > > > CHING YI.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20161005/4b2bfd4b/attachment.htm>

More information about the Linux-audit mailing list