After many experiments, I discovered an inconspicuous syntax error in audit.rules Here are two seemingly identical lines: -a exit,always -F arch=b64 -F euid=0 -S execve –k root_actions -a exit,always -F arch=b64 -F euid=0 -S execve -k root_actions
Their only difference is that in the first line (copy-pasted from another source), the dash before "–k" is not the standard dash character, although it appears exactly the same in the console. When changing to a standard dash, the mentioned error is "error in line 6 of /etc/audit/audit.rules" was eliminated. I absolutely don`t understand the role of Rsyslog configuration changes in this. But paradoxically, this error in the dash character only manifests itself in this case. Before that, a string with a non-standard dash in audit.rules was accepted by auditd without problems on both my servers. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1867372 Title: Auditd failed when changing the Rsyslog configuration Status in audit package in Ubuntu: New Bug description: I found that when changing the Rsyslog configuration (/etc/rsyslog.d/50-default.conf) an Auditd failure occurs with distinctive strings in syslog: ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) ................. There was an error in line 6 of /etc/audit/audit.rules Other sign: ---------------- # systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2020-03-13 17:49:55 MSK; 12min ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 985 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) Process: 883 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 928 (auditd) Tasks: 4 (limit: 4915) CGroup: /system.slice/auditd.service ├─928 /sbin/auditd └─932 /sbin/audispd The problem was confirmed on two modern physical Linux Ubuntu servers with all the latest system updates. Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-88-generic x86_64) ------------------------------------------------------- auditd/bionic,now 1:2.8.2-1ubuntu1 amd64 [installed] libaudit-common/bionic,bionic,now 1:2.8.2-1ubuntu1 all [installed] libaudit1/bionic,now 1:2.8.2-1ubuntu1 amd64 [installed] + rsyslog/bionic,now 8.32.0-1ubuntu4 amd64 [installed,automatic] The first time I found a problem trying to reconfigure Auditd logging according to the recommendations: https://serverfault.com/questions/792766/what-is-the-syslog-facility-for-auditd-logs When I found the problem, I checked its causes on the Rsyslog side on another server. It is confirmed that it is not associated with changes in the configuration of Auditd. Example of replication: ----------------------- 1. Edit /etc/rsyslog.d/50-default.conf Insert strings for new log facility: *.*;auth,authpriv.none,cron.none,mail.none,local5.none,local6.none -/var/log/syslog ### ###*.*;auth,authpriv.none,cron.none,mail.none,local5.none -/var/log/syslog local6.* /var/log/audit/audit_syslog.log 2. # systemctl restart rsyslog 3. # systemctl restart auditd 4. # systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2020-03-13 18:12:32 MSK; 6s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 3211 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) Process: 3183 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 3186 (auditd) Tasks: 4 (limit: 4915) CGroup: /system.slice/auditd.service ├─3186 /sbin/auditd └─3190 /sbin/audispd Mar 13 18:12:32 uk1 augenrules[3211]: failure 1 Mar 13 18:12:32 uk1 augenrules[3211]: pid 3186 Mar 13 18:12:32 uk1 augenrules[3211]: rate_limit 0 Mar 13 18:12:32 uk1 augenrules[3211]: backlog_limit 8192 Mar 13 18:12:32 uk1 augenrules[3211]: lost 0 Mar 13 18:12:32 uk1 augenrules[3211]: backlog 0 Mar 13 18:12:32 uk1 augenrules[3211]: backlog_wait_time 0 Mar 13 18:12:32 uk1 systemd[1]: Started Security Auditing Service. Mar 13 18:12:32 uk1 auditctl[3225]: There was an error in line 6 of /etc/audit/audit.rules Mar 13 18:12:32 uk1 audispd[3190]: node=uk1 type=SERVICE_START msg=audit(1584112352.783:142): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=auditd comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' But the main problem is that this failure cannot be fixed by deleting changes from the Rsyslog configuration file. It remains even after restarting the server! I have attached snippets of the system log. The first part corresponds to restarting the system after rolling back Rsyslog changes. The second part corresponds to the processes after the Auditd restart. In General, it looks like Auditd is working normally. Logs show its working status. But in the system status auditd is issued: ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) And this cannot be eliminated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1867372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp