[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

Chuan Li Tue, 30 May 2023 23:22:05 -0700

Comparing the files /etc/systemd/system/multi-user.target.wants/auditd.service 
between Focal and Jammy, 
I can see Jammy has the line "ProtectHome=true", If I remove this line and 
reboot the system, then the rule can be loaded along with system bootup


-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/2020838

Title:
  [regression][jammy] augenrules Error sending add rule data request (No
  such file or directory)

Status in audit package in Ubuntu:
  New

Bug description:
  The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F
  auid>=1000 -F auid!=unset -k privileged' can not be loaded during
  system boot up.

  # lsb_release -rc
  Release:      22.04
  Codename:     jammy

  # dpkg -l|grep audit
  ii  auditd                          1:3.0.7-1build1                         
amd64        User space tools for security auditing
  ii  libaudit-common                 1:3.0.7-1build1                         
all          Dynamic library for security auditing - common files
  ii  libaudit1:amd64                 1:3.0.7-1build1                         
amd64        Dynamic library for security auditing
  ii  libauparse0:amd64               1:3.0.7-1build1                         
amd64        Dynamic library for parsing security auditing

  # cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$
  -D
  -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
  -b 8192
  --backlog_wait_time 60000
  -f 1

  # ls -l /home/ubuntu/test.sh 
  -rwxr-xr-x 1 root ubuntu 19 May 25 14:19 /home/ubuntu/test.sh

  # cat /home/ubuntu/test.sh
  #!/bin/bash
  echo 1

  
  # >/etc/audit/audit.rules

  reboot the system, no rule can be loaded

  # auditctl -l
  No rules

  syslog:

  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule 
data request (No such file or directory)
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in 
line 5 of /etc/audit/audit.rules
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000
  May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0

  # cat /etc/audit/audit.rules
  ## This file is automatically generated from /etc/audit/rules.d
  -D
  -b 8192
  -f 1
  -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=unset -k privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
  --backlog_wait_time 60000

  But I can manually load the rule file. Seems this issue only happen
  during system boot up.

  # auditctl -R /etc/audit/audit.rules
  No rules
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 4
  backlog_wait_time 15000
  backlog_wait_time_actual 0
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 4
  backlog_wait_time 15000
  backlog_wait_time_actual 0
  enabled 1
  failure 1
  pid 476
  rate_limit 0
  backlog_limit 8192
  lost 0
  backlog 14
  backlog_wait_time 60000
  backlog_wait_time_actual 0

  # auditctl -l
  -a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F 
auid!=-1 -F key=privileged
  -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts

  If I move the file /home/ubuntu/test.sh to / opt/test.sh or /etc/test.sh 
/usr/bin/test.sh, then I can not reproduce the issue.
  Additionally, I have ruled out AppArmor as a factor. I have already disabled 
the AppArmor service and append "apparmor=0" into the kernel command line 
before rebooting.

  Moreover, I can NOT reproduce this issue on Focal(1:2.8.5-2ubuntu6)

  There are 2 issues here, I think

  1) If the rules can be loaded manually, why can't they be loaded
  automatically at system startup?

  2) When loading a particular rule fails, why are the subsequent rules
  skipped?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/2020838/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)

Reply via email to