Thanks for the strace, these looked like the 'important' parts:
sendto(3, {{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, seq=3,
pid=0},
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa2\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...},
56, 0, {sa_fa
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: audit (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1873627
Title:
audi
Hi,
I'm trying to install auditd on my system (Ubuntu 20.04.2 LTS, kernel
5.4.0-72-generic) but I've got the same problem:
# systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor
preset: enabled)
Active
Alright, close the bug, I have built two different machines and tried to
reproduce the problem several different ways, but have been unable to do
so. Sorry to bother you with this.
Trey Schisser
Waveland Technologies - https://wavelandrcm.com
Director of Security Operations and IT Infrastructure
t
Unfortunately I can't, because I fixed the problem with a workaround and
can't recreate the problem on _this_ server. My workaround was to mount the
new filesystem as /var/log (since the goal was to keep logs from filling up
the root file system), leaving the /var/run symlink on the same filesystem
Running under strace may change the execution environment enough that
it's not reflective of the actual error, but it's still worth a shot --
can you pastebin the whole auditd strace logs? That openat() line is
actually a success -- the error we're looking for will come from the
audit_set_pid(3) fu
