Apologies - I don't remember the full specifics here but IIRC, the Mandiant FireEye HX agent foolishly re-implements Linux Audit, and it's every bit as terrible as that sounds. We discovered that we needed to basically purge both FireEye HX and Auditd on the system, then install Auditd, then disable it entirely, then allow the travesty of having the FireEye HX agent run it's own auditd daemon which clobbers the OS auditd. Yikes. And yes we filed a "please don't do such ugly things with core Linux services" request with their support. :/
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Confirmed Status in audit package in Debian: New Bug description: This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: /sbin/audispd pid: 9705 Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation timed out. Terminating. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 'stop-sigterm' timed out. Killing. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9702 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9703 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process exited, code=killed status=9 Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 'timeout'. Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing Service. dpkg: error processing package auditd (--configure): installed auditd package post-installation script subprocess returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1848330/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp