Package: auditd Version: 1:v4.0.2-2+b2 Severity: important X-Debbugs-Cc: [email protected], [email protected] User: [email protected] Usertags: arm64
Dear Maintainer, There is a bug in the v4.0.2 of auditd, which has been solved in v4.0.4 onwards. This renders certain standard rules unusable on aarch64. * What led up to the situation? Loading standard auditd rules which work on Deb12/arm64 and deb13/x86-64 Any rule with a `-F path=` or `-F dir=` on aarch64 will trigger this bug, causing other rules to fail to load. This is due to a bug in the v4.0.2 auditd on aarch64, since fixed upstream. Sample rules from the auditd repo will trigger this. See: https://github.com/linux-audit/audit-userspace/blob/1006f10592a44380591a069bc957b0f1874ce9d4/rules/30-pci-dss-v31.rules#L38 This has been solved upstream in https://github.com/linux-audit/audit-userspace/pull/426, and included in the v4.0.4 Release of auditd. See a full upstream bug report for this issue: https://github.com/linux-audit/audit-userspace/issues/496 * What exactly did you do (or not do) that was effective (or ineffective)? I installled the v4.0.5 version of auditd from debian-testing (forky). * What was the outcome of this action? This solved the problem, and stopped the error messages, and the rules now load correctly. * What outcome did you expect instead? I expected the rules-loader in -stable to load rules correctly, without needing to install packages from -testing. -- System Information: Debian Release: 13.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'testing') Architecture: arm64 (aarch64) Kernel: Linux 6.12.41+deb13-cloud-arm64 (SMP w/2 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages auditd depends on: ii init-system-helpers 1.68 ii libaudit1 1:4.0.5-1 ii libauparse0t64 1:4.0.5-1 ii libc6 2.41-12 ii libcap-ng0 0.8.5-4+b1 ii libgssapi-krb5-2 1.21.3-5 ii libkrb5-3 1.21.3-5 ii libwrap0 7.6.q-36 ii mawk 1.3.4.20250131-1 auditd recommends no packages. Versions of packages auditd suggests: pn audispd-plugins <none> -- Configuration Files: /etc/audit/audisp-filter.conf [Errno 13] Permission denied: '/etc/audit/audisp-filter.conf' /etc/audit/audit-stop.rules [Errno 13] Permission denied: '/etc/audit/audit-stop.rules' /etc/audit/auditd.conf [Errno 13] Permission denied: '/etc/audit/auditd.conf' /etc/audit/plugins.d/af_unix.conf [Errno 13] Permission denied: '/etc/audit/plugins.d/af_unix.conf' /etc/audit/plugins.d/filter.conf [Errno 13] Permission denied: '/etc/audit/plugins.d/filter.conf' /etc/audit/plugins.d/syslog.conf [Errno 13] Permission denied: '/etc/audit/plugins.d/syslog.conf' /etc/audit/rules.d/audit.rules [Errno 13] Permission denied: '/etc/audit/rules.d/audit.rules' -- no debconf information
