On Tue, Oct 4, 2016 at 11:10 PM, Steve Grubb <[email protected]> wrote:
> On Tuesday, October 4, 2016 11:35:46 AM EDT C.y wrote: > > On Tue, Oct 4, 2016 at 4:06 AM, Steve Grubb <[email protected]> wrote: > > > On Sunday, October 2, 2016 11:00:16 AM EDT C.y wrote: > > > > On Sun, Oct 2, 2016 at 12:20 AM, Steve Grubb <[email protected]> > wrote: > > > > > On Saturday, October 1, 2016 5:47:47 PM EDT C.y wrote: > > > > > > Hi all, > > > > > > > > > > > > > > > > > > I have fedora-server-24 installed on my raspberry-pi-3, following > > > > > > the > > > > > > guide https://fedoraproject.org/wiki/Raspberry_Pi. > > > > > > > > > > > > Once I get my raspberry pi boot up, there were error mentioning > that > > > > > > "audit not support not in kernel", which I believed were then > > > > > > resolved after I > > > > > > > > > rebuild my kernel. > > > > > > > > > > > > However, I got stuck when I tried to add rule using `auditctl` > > > > > > command > > > > > > > > > as below: > > > > > > `# auditctl -w /etc/passwd -p wa -k passwd_changes` > > > > > > Error sending add rule data request (Invalid argument) > > > > > > > > > > Hmm. I wonder if 'ausyscall open' gives you syscalls. > > > > > > > > `# ausyscall open` returns as below. So I suppose the answer is > > > > yes?(correct me if I'm wrong) > > > > open 5 > > > > mq_open 274 > > > > openat 322 > > > > perf_event_open 364 > > > > open_by_handle_at 371 > > > > > > This means user space is doing the right thing. I am thinking this > sounds > > > like a kernel issue. > > > > > > Have you tried a few other simple commands? > > > > > > auditctl -e 1 > > > auditctl -s > > > auditctl -always,exit -F arch=b64 -S open > > > > > > -Steve > > > > `# auditctl -e 1` returns: > > enabled 1 > > failure 1 > > pid 293 > > rate_limit 0 > > backlog_limit 64 > > lost 11 > > backlog 0 > > backlog_wait_time 6000 > > > > `# auditctl -s` returns: > > enabled 1 > > failure 1 > > pid 293 > > rate_limit 0 > > backlog_limit 64 > > lost 11 > > backlog 0 > > backlog_wait_time 6000 > > OK. So, this sounds like it can communicate with the kernel and part of the > audit system is compiled in. > > > `# auditctl -a always,exit -F arch=b64 -S open` returns: > > arch elf mapping not found > > OK. Maybe its not 64 bit. > > > `# auditctl -a always,exit -S open` returns: > > Error sending add rule data request (Invalid argument) > > If it were 32 bit, then the above would have selected -F arch=b32 > automatically. The error message means the kernel rejected a field in the > audit > rule. Which field, I don't know. It turns out that all these problem occurs because I missed out including some of the config when building the kernel. auditd works well on kernel compiled with `CONFIG_AUDITSYSCALL = y`. p/s: option AUDITSYSCALL wasn't presented defaultly on raspi due to lacking dependency of `! OABI_COMPAT`, which its discussion can be found at https://github.com/raspberrypi/firmware/issues/652 Thanks for spending time on my issues! > > I also noticed that auditd is having difficulty in parsing > > `/etc/auditd/auditd.rules` > > on the booting stage, > > `# journalctl -u auditd.service --this-boot` returns: > > -- Logs begin at Fri 2016-02-12 00:28:01 CST, end at Tue 2016-10-04 > > 10:53:05 CST. -- > > Feb 12 00:28:06 raspi3.lab systemd[1]: Starting Security Auditing > Service... > > Feb 12 00:28:06 raspi3.lab auditd[287]: Started dispatcher: /sbin/audispd > > pid: 301 > > Feb 12 00:28:06 raspi3.lab audispd[301]: priority_boost_parser called > with: > > 4 > > Feb 12 00:28:06 raspi3.lab augenrules[288]: /sbin/augenrules: No change > > Feb 12 00:28:06 raspi3.lab audispd[301]: max_restarts_parser called > with: 10 > > Feb 12 00:28:06 raspi3.lab augenrules[288]: Error sending add rule data > > request (Invalid argument) > > Feb 12 00:28:06 raspi3.lab augenrules[288]: There was an error in line 5 > of > > /etc/audit/audit.rules > > I believe this is just saying that the rule in line 5 was rejected by the > kernel. This is systemd induced. The Error sending rule message went to > stderr, auditctl also logs to syslog that it had a problem. Systemd grabs > both > and logs them. So, this is really 2 messages for the same thing. Its not a > parsing problem per se. > > -Steve > > > Feb 12 00:28:06 raspi3.lab augenrules[288]: No rules > > Feb 12 00:28:06 raspi3.lab systemd[1]: Started Security Auditing Service. > > Feb 12 00:28:06 raspi3.lab auditd[287]: Init complete, auditd 2.5.2 > > listening for events (startup state > > > > while `# cat /etc/audit/rules.d` returns: > > ----- > > ## This file is automatically generated from /etc/audit/rules.d > > -D > > > > > > -a task,never > > ----- > > > > p/s: On the log above, RaspberryPi is showing the wrong time due to a > > reboot, > > the time will be corrected once the chronyd start functioning. > > > > > > Regards, > > CHING YI. > > > > > > > > I tried to search for solution but it lead me to a bug that were > > > > > > already > > > > > > > > > been solved like years ago. Can anyone tell me if I am in the > right > > > > > > way > > > > > > > > > of getting auditd works on raspberry pi? Were the problem I've > faced > > > > > > were > > > > > > > > > already a known issue? > > > > > > > > > > > > Below are my system information and some logs/details when I > tried > > > > > > to > > > > > > diagnosis the problem and thanks a lot for your help in advance! > > > > > > > > > > > > `# uname -a` > > > > > > Linux raspi3.lab 4.4.23-v7+ #2 SMP Sat Oct 1 15:24:41 CST 2016 > > > > > > armv7l > > > > > > armv7l armv7l GNU/Linux > > > > > > > > > > I also wonder if we have a mismatch here. Is that armv seventy one > or > > > > > > armv > > > > > > > > seven-el? Its coded in audit as seventy one. > > > > > > > > It's 7-el. > > > > `# uname -a | grep 7l` (7-el) returns > > > > Linux raspi3.lab 4.4.23-v7+ #2 SMP Sat Oct 1 15:24:41 CST 2016 armv7l > > > > armv7l armv7l GNU/Linux > > > > > > > > > > > > Sincerly, > > > > CHING YI. > > > > > > > > > -Steve > > > > > > > > > > > `# modprobe configs ; gunzip -dc /proc/config.gz | grep AUDIT` > > > > > > CONFIG_AUDIT=y > > > > > > CONFIG_NETFILTER_XT_TARGET_AUDIT=m > > > > > > CONFIG_AUDIT_GENERIC=y > > > > > > # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set > > > > > > > > > > > > `# systemctl status auditd.service` > > > > > > ● auditd.service - Security Auditing Service > > > > > > > > > > > > Loaded: loaded (/usr/lib/systemd/system/auditd.service; > enabled; > > > > > > > > > > > > vendor preset: enabled) > > > > > > > > > > > > Active: active (running) since Fri 2016-02-12 00:28:07 CST; 7 > > > > > > months > > > > > > > > > 19 days ago > > > > > > > > > > > > Process: 1553 ExecReload=/bin/kill -HUP $MAINPID (code=exited, > > > > > > > > > > > > status=0/SUCCESS) > > > > > > > > > > > > Process: 279 ExecStartPost=/sbin/augenrules --load > (code=exited, > > > > > > > > > > > > status=1/FAILURE) > > > > > > Main PID: 278 (auditd) > > > > > > > > > > > > CGroup: /system.slice/auditd.service > > > > > > > > > > > > └─278 /sbin/auditd -n > > > > > > > > > > > > Oct 01 16:36:53 raspi3.lab auditd[278]: > audit(1475311013.356:8458) > > > > > > op=reconfigure state=changed auid=4294967295 pid=-1 subj=? > > > > > > res=success > > > > > > > > > Oct 01 16:36:53 raspi3.lab systemd[1]: Reloaded Security Auditing > > > > > > Service. > > > > > > Oct 01 16:37:28 raspi3.lab systemd[1]: Reloading Security > Auditing > > > > > > Service. > > > > > > Oct 01 16:37:28 raspi3.lab auditd[278]: config change requested > by > > > > > > pid=-1 > > > > > > auid=4294967295 subj=? > > > > > > Oct 01 16:37:28 raspi3.lab auditd[278]: audit(1475311048.046:257) > > > > > > op=reconfigure state=changed auid=4294967295 pid=-1 subj=? > > > > > > res=success > > > > > > > > > Oct 01 16:37:28 raspi3.lab systemd[1]: Reloaded Security Auditing > > > > > > Service. > > > > > > Oct 01 16:38:18 raspi3.lab systemd[1]: Reloading Security > Auditing > > > > > > Service. > > > > > > Oct 01 16:38:18 raspi3.lab auditd[278]: config change requested > by > > > > > > pid=-1 > > > > > > auid=4294967295 subj=? > > > > > > Oct 01 16:38:18 raspi3.lab auditd[278]: > audit(1475311098.716:2108) > > > > > > op=reconfigure state=changed auid=4294967295 pid=-1 subj=? > > > > > > res=success > > > > > > > > > Oct 01 16:38:18 raspi3.lab systemd[1]: Reloaded Security Auditing > > > > > > Service. > > > > > > > > > > > > While my `/var/log/audit/audit.log` was full with lines of > > > > > > "SERVICE_START" & "SERVICE_STOP": > > > > > > type=SERVICE_START msg=audit(1475313700.696:276): pid=1 uid=0 > > > > > > auid=4294967295 ses=4294967295 msg='unit=NetworkManager- > dispatcher > > > > > > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? > > > > > > terminal=? res=success' > > > > > > type=SERVICE_STOP msg=audit(1475313710.836:277): pid=1 uid=0 > > > > > > auid=4294967295 ses=4294967295 msg='unit=NetworkManager- > dispatcher > > > > > > comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? > > > > > > terminal=? res=success' > > > > > > > > > > > > > > > > > > Sincerly, > > > > > > CHING YI. > > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
