Public bug reported:
Auditd was working on my system (Ubuntu 18.04LTS, kernel
4.15.0-1065-aws) until recently. But after splitting off /var into a new
filesystem it fails to launch.
running '/sbin/auditd -f' as root indicates a problem writing the pid file (no
file exists even when it says one does) Post config load command output:
Started dispatcher: /sbin/audispd pid: 16927
type=DAEMON_START msg=audit(1587280022.692:2019): op=start ver=2.8.2 format=raw
kernel=4.15.0-1065-aws auid=878601141 pid=16925 uid=0 ses=24 subj=unconfined
res=success
config_manager init complete
Error setting audit daemon pid (File exists)
type=DAEMON_ABORT msg=audit(1587280022.692:2020): op=set-pid auid=878601141
pid=16925 uid=0 ses=24 subj=unconfined res=failed
Unable to set audit pid, exiting
The audit daemon is exiting.
Error setting audit daemon pid (Permission denied)
/var/run is a symlink to /run
/var/run permissions are 777 root:root
/run permissions are 755f root:root
no /run/auditd.pid and subsiquently no /var/run/auditd.pid exists (even though
the error incorrectly reports otherwise.
/var/log/audit/audit.log output
type=DAEMON_START msg=audit(1587278222.942:5617): op=start ver=2.8.2 format=raw
kernel=4.15.0-1065-aws auid=4294967295 pid=7529 uid=0 ses=4294967295 subj=unconf
ined res=success
type=DAEMON_ABORT msg=audit(1587278222.943:5618): op=set-pid auid=4294967295
pid=7529 uid=0 ses=4294967295 subj=unconfined res=failed
I have been pulling my hair out over this one. So I ran 'strace /sbin/auditd
-f' and found the following line in the output.
"openat(AT_FDCWD, "/var/run/auditd.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW,
0644) = 4"
I am grasping at straws, but suspect that the O_NOFOLLOW option is causing a
failure in creating the pid file since /var/run is a symlink. I could be wrong
but I can't find anything else to suspect.
Since it is best practice to split/var into a separate file system to
prevent filling the root filesystem in case of an unexpected increase in
log collection I suspect this is a bug. So either the system needs to be
able to follow symlinks or an option such as pid_file=[filepath] needs
to be available in /etc/audit/auditd.conf.
** Affects: audit (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1873627
Title:
auditd fails after moving /var it a new filesystem and turning
/var/run into a symlink to /run
Status in audit package in Ubuntu:
New
Bug description:
Auditd was working on my system (Ubuntu 18.04LTS, kernel
4.15.0-1065-aws) until recently. But after splitting off /var into a
new filesystem it fails to launch.
running '/sbin/auditd -f' as root indicates a problem writing the pid file
(no file exists even when it says one does) Post config load command output:
Started dispatcher: /sbin/audispd pid: 16927
type=DAEMON_START msg=audit(1587280022.692:2019): op=start ver=2.8.2
format=raw kernel=4.15.0-1065-aws auid=878601141 pid=16925 uid=0 ses=24
subj=unconfined res=success
config_manager init complete
Error setting audit daemon pid (File exists)
type=DAEMON_ABORT msg=audit(1587280022.692:2020): op=set-pid auid=878601141
pid=16925 uid=0 ses=24 subj=unconfined res=failed
Unable to set audit pid, exiting
The audit daemon is exiting.
Error setting audit daemon pid (Permission denied)
/var/run is a symlink to /run
/var/run permissions are 777 root:root
/run permissions are 755f root:root
no /run/auditd.pid and subsiquently no /var/run/auditd.pid exists (even
though the error incorrectly reports otherwise.
/var/log/audit/audit.log output
type=DAEMON_START msg=audit(1587278222.942:5617): op=start ver=2.8.2
format=raw kernel=4.15.0-1065-aws auid=4294967295 pid=7529 uid=0 ses=4294967295
subj=unconf
ined res=success
type=DAEMON_ABORT msg=audit(1587278222.943:5618): op=set-pid auid=4294967295
pid=7529 uid=0 ses=4294967295 subj=unconfined res=failed
I have been pulling my hair out over this one. So I ran 'strace /sbin/auditd
-f' and found the following line in the output.
"openat(AT_FDCWD, "/var/run/auditd.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW,
0644) = 4"
I am grasping at straws, but suspect that the O_NOFOLLOW option is causing a
failure in creating the pid file since /var/run is a symlink. I could be wrong
but I can't find anything else to suspect.
Since it is best practice to split/var into a separate file system to
prevent filling the root filesystem in case of an unexpected increase
in log collection I suspect this is a bug. So either the system needs
to be able to follow symlinks or an option such as pid_file=[filepath]
needs to be available in /etc/audit/auditd.conf.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1873627/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
