[Kernel-packages] [Bug 2125707] Re: Upgrade to 5.15.0-151.161 crashes

[Thomas Ebert]

Here's an update of my situation:
- The only permanent fix turned out to be to disable and keep stopped the 
auditd service. This is, of course, not a permanent solution.

I'm not sure if that is just because auditd is using a lot of resources
and that creates a tipping point, or if it somehow is the root cause of
the freeze.

For what it's worth here is my configuration.

I've based my custom rules on this repository: Github: /Neo23x0/auditd

/etc/audit/auditd.conf 
```
#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 1200
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2
```

/etc/audit/audit.rules
```
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-i
-w /var/log/audit/ -k auditlog
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
-a always,exclude -F msgtype=AVC
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=EOE
-a never,user -F subj_type=crond_t
-a exit,never -F subj_type=crond_t
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony -F 
subj_type=chronyd_t
-a always,exclude -F msgtype=CRYPTO_KEY_USER
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F 
subj_type=initrc_t -F exit=-2
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F 
subj_type=initrc_t -F exit=-2
-a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
-a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
-a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm
-a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm
-w /etc/sysctl.conf -p wa -k sysctl
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F 
auid!=-1 -k modules
-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F 
auid!=-1 -k modules
-w /etc/modprobe.conf -p wa -k modprobe
-a always,exit -F arch=b64 -S kexec_load -k KEXEC
-a always,exit -F arch=b32 -S sys_kexec_load -k KEXEC
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles
-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount
-a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k mount
-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
-w /etc/localtime -p wa -k localtime
-w /usr/sbin/stunnel -p x -k stunnel
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
-w /usr/bin/passwd -p x -k passwd_modification
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k 
network_modifications
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k 
network_modifications
-a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F 
key=network_connect_4
-a always,exit -F arch=b32 -S connect -F a2=16 -F success=1 -F 
key=network_connect_4
-a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F 
key=network_connect_6
-a always,exit -F arch=b32 -S connect -F a2=28 -F success=1 -F 
key=network_connect_6
-w /etc/hosts -p wa -k network_modifications
-w /etc/sysconfig/network -p wa -k network_modifications
-w /etc/network/ -p wa -k network
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init
-w /etc/ld.so.conf -p wa -k libpath
-w /etc/ld.so.preload -p wa -k systemwide_preloads
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa  -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail
-w /etc/ssh/sshd_config -k sshd
-w /bin/systemctl -p x -k systemd
-w /etc/systemd/ -p wa -k systemd
-w /etc/selinux/ -p wa -k mac_policy
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k 
unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k 
unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k 
unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k 
unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k 
unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k 
unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k 
unauthedfileaccess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k 
unauthedfileaccess
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc
-w /sbin/shutdown -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k 
perm_mod
-a always,exit -F arch=b32 -S all -k 32bit_api
-w /usr/bin/whoami -p x -k recon
-w /usr/bin/id -p x -k recon
-w /bin/hostname -p x -k recon
-w /bin/uname -p x -k recon
-w /etc/issue -p r -k recon
-w /etc/hostname -p r -k recon
-w /usr/bin/wget -p x -k susp_activity
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-w /usr/bin/ncat -p x -k susp_activity
-w /usr/bin/ssh -p x -k susp_activity
-w /usr/bin/scp -p x -k susp_activity
-w /usr/bin/sftp -p x -k susp_activity
-w /usr/bin/ftp -p x -k susp_activity
-w /usr/bin/socat -p x -k susp_activity
-w /usr/bin/wireshark -p x -k susp_activity
-w /usr/bin/tshark -p x -k susp_activity
-w /usr/bin/rawshark -p x -k susp_activity
-w /usr/bin/rdesktop -p x -k susp_activity
-w /usr/bin/nmap -p x -k susp_activity
-w /bin/nc.openbsd -p x -k susp_activity
-w /bin/nc.traditional -p x -k susp_activity
-w /sbin/iptables -p x -k sbin_susp
-w /sbin/ip6tables -p x -k sbin_susp
-w /sbin/ifconfig -p x -k sbin_susp
-w /usr/sbin/arptables -p x -k sbin_susp
-w /usr/sbin/ebtables -p x -k sbin_susp
-w /usr/sbin/nft -p x -k sbin_susp
-w /usr/sbin/tcpdump -p x -k sbin_susp
-w /usr/sbin/traceroute -p x -k sbin_susp
-a always,exit -F arch=b32 -S ptrace -k tracing
-a always,exit -F arch=b64 -S ptrace -k tracing
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C 
auid!=obj_uid -k power_abuse
-w /usr/bin/rpm -p x -k software_mgmt
-w /usr/bin/yum -p x -k software_mgmt
-w /usr/bin/dnf -p x -k software_mgmt
-w /sbin/yast -p x -k yast
-w /sbin/yast2 -p x -k yast
-w /bin/rpm -p x -k software_mgmt
-w /usr/bin/zypper -k software_mgmt
-w /usr/bin/dpkg -p x -k software_mgmt
-w /usr/bin/apt -p x -k software_mgmt
-w /usr/bin/apt-add-repository -p x -k software_mgmt
-w /usr/bin/apt-get -p x -k software_mgmt
-w /usr/bin/aptitude -p x -k software_mgmt
-w /etc/puppet/ssl -p wa -k puppet_ssl
-a exit,always -F arch=b64 -S open -F dir=/opt/BESClient -F success=0 -k 
soft_besclient
-w /var/opt/BESClient/ -p wa -k soft_besclient
-w /etc/chef -p wa -k soft_chef
-w /usr/bin/dockerd -k docker
-w /usr/bin/docker -k docker
-w /usr/bin/docker-containerd -k docker
-w /usr/bin/docker-runc -k docker
-w /var/lib/docker -k docker
-w /etc/docker -k docker
-w /etc/sysconfig/docker -k docker
-w /etc/sysconfig/docker-storage -k docker
-w /usr/lib/systemd/system/docker.service -k docker
-w /usr/bin/kubelet -k kubelet
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat 
-F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat 
-F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S 
truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F aui>
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S 
truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid>
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S 
truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F aui>
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S 
truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid>
-a always,exit -F arch=b32 -S 
creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k 
file_creation
-a always,exit -F arch=b64 -S 
mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k 
file_creation
-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k 
file_creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k 
file_creation
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S 
setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=->
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S 
setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=->
-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S 
setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=->
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S 
setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=->
-w /usr/bin/docker -p rwxa -k docker
-w /var/lib/docker -p rwxa -k docker
-w /etc/docker -p rwxa -k docker
-w /usr/lib/systemd/system/docker.service -p rwxa -k docker
-w /usr/lib/systemd/system/docker.socket -p rwxa -k docker
-w /etc/default/docker -p rwxa -k docker
-w /var/run/docker.sock -p rwxa -k docker
-w /etc/docker/daemon.json -p rwxa -k docker
-w /usr/bin/docker-containerd -p rwxa -k docker
-w /usr/bin/docker-runc -p rwxa -k docker
-e 2
```

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2125707

Title:
  Upgrade to 5.15.0-151.161 crashes

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  Linux check1556 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46
  UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

  Post upgrade to 5.15.0-156-generic and restart, On execution of apt-
  get -y autoremove crashes.

  Reading package lists... Done
  Building dependency tree... Done
  Reading state information... Done
  The following packages will be REMOVED:
    linux-headers-5.15.0-151 linux-headers-5.15.0-151-generic 
linux-image-5.15.0-151-generic linux-modules-5.15.0-151-generic 
linux-modules-extra-5.15.0-151-generic
  0 upgraded, 0 newly installed, 5 to remove and 0 not upgraded.
  After this operation, 584 MB disk space will be freed.
  (Reading database ... 146904 files and directories currently installed.)
  Removing linux-headers-5.15.0-151-generic (5.15.0-151.161) ...
  Removing linux-headers-5.15.0-151 (5.15.0-151.161) ...
  Read from remote host 10.145.55.46: Operation timed out
  Connection to 10.145.55.46 closed.
  client_loop: send disconnect: Broken pipe

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2125707/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp