[Touch-packages] [Bug 1867372] [NEW] Auditd failed when changing the Rsyslog configuration

Fri, 13 Mar 2020 10:06:02 -0700 

Public bug reported:

I found that when changing the Rsyslog configuration 
(/etc/rsyslog.d/50-default.conf) an Auditd failure occurs with distinctive 
strings in syslog:
ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
.................
There was an error in line 6 of /etc/audit/audit.rules


Other sign:
----------------
# systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: 
enabled)
   Active: active (running) since Fri 2020-03-13 17:49:55 MSK; 12min ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 985 ExecStartPost=/sbin/augenrules --load (code=exited, 
status=1/FAILURE)
  Process: 883 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 928 (auditd)
    Tasks: 4 (limit: 4915)
   CGroup: /system.slice/auditd.service
           ├─928 /sbin/auditd
           └─932 /sbin/audispd


The problem was confirmed on two modern physical Linux Ubuntu servers with all 
the latest system updates.
Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-88-generic x86_64)
-------------------------------------------------------
auditd/bionic,now 1:2.8.2-1ubuntu1 amd64 [installed]
libaudit-common/bionic,bionic,now 1:2.8.2-1ubuntu1 all [installed]
libaudit1/bionic,now 1:2.8.2-1ubuntu1 amd64 [installed]
+
rsyslog/bionic,now 8.32.0-1ubuntu4 amd64 [installed,automatic]


The first time I found a problem trying to reconfigure Auditd logging according 
to the recommendations:
https://serverfault.com/questions/792766/what-is-the-syslog-facility-for-auditd-logs
When I found the problem, I checked its causes on the Rsyslog side on another 
server.
It is confirmed that it is not associated with changes in the configuration of 
Auditd.


Example of replication: 
-----------------------
1. Edit /etc/rsyslog.d/50-default.conf
Insert strings for new log facility:
*.*;auth,authpriv.none,cron.none,mail.none,local5.none,local6.none              
-/var/log/syslog
###
###*.*;auth,authpriv.none,cron.none,mail.none,local5.none               
-/var/log/syslog

local6.*                                /var/log/audit/audit_syslog.log

2. # systemctl restart rsyslog

3. # systemctl restart auditd

4. # systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: 
enabled)
   Active: active (running) since Fri 2020-03-13 18:12:32 MSK; 6s ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 3211 ExecStartPost=/sbin/augenrules --load (code=exited, 
status=1/FAILURE)
  Process: 3183 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 3186 (auditd)
    Tasks: 4 (limit: 4915)
   CGroup: /system.slice/auditd.service
           ├─3186 /sbin/auditd
           └─3190 /sbin/audispd

Mar 13 18:12:32 uk1 augenrules[3211]: failure 1
Mar 13 18:12:32 uk1 augenrules[3211]: pid 3186
Mar 13 18:12:32 uk1 augenrules[3211]: rate_limit 0
Mar 13 18:12:32 uk1 augenrules[3211]: backlog_limit 8192
Mar 13 18:12:32 uk1 augenrules[3211]: lost 0
Mar 13 18:12:32 uk1 augenrules[3211]: backlog 0
Mar 13 18:12:32 uk1 augenrules[3211]: backlog_wait_time 0
Mar 13 18:12:32 uk1 systemd[1]: Started Security Auditing Service.
Mar 13 18:12:32 uk1 auditctl[3225]: There was an error in line 6 of 
/etc/audit/audit.rules
Mar 13 18:12:32 uk1 audispd[3190]: node=uk1 type=SERVICE_START 
msg=audit(1584112352.783:142): pid=1 uid=0 auid=4294967295 ses=4294967295 
msg='unit=auditd comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? 
terminal=? res=success'


But the main problem is that this failure cannot be fixed by deleting changes 
from the Rsyslog configuration file.
It remains even after restarting the server!

I have attached snippets of the system log.
The first part corresponds to restarting the system after rolling back Rsyslog 
changes.
The second part corresponds to the processes after the Auditd restart.

In General, it looks like Auditd is working normally. Logs show its working 
status.
But in the system status auditd is issued:
ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)

And this cannot be eliminated.

** Affects: audit (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: augenrules rsyslog

** Attachment added: "Logs and configs"
   
https://bugs.launchpad.net/bugs/1867372/+attachment/5336591/+files/auditd+rsyslog_bug.zip

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1867372

Title:
  Auditd failed when changing the Rsyslog configuration

Status in audit package in Ubuntu:
  New

Bug description:
  I found that when changing the Rsyslog configuration 
(/etc/rsyslog.d/50-default.conf) an Auditd failure occurs with distinctive 
strings in syslog:
  ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
  .................
  There was an error in line 6 of /etc/audit/audit.rules

  
  Other sign:
  ----------------
  # systemctl status auditd
  ● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
     Active: active (running) since Fri 2020-03-13 17:49:55 MSK; 12min ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 985 ExecStartPost=/sbin/augenrules --load (code=exited, 
status=1/FAILURE)
    Process: 883 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
   Main PID: 928 (auditd)
      Tasks: 4 (limit: 4915)
     CGroup: /system.slice/auditd.service
             ├─928 /sbin/auditd
             └─932 /sbin/audispd

  
  The problem was confirmed on two modern physical Linux Ubuntu servers with 
all the latest system updates.
  Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-88-generic x86_64)
  -------------------------------------------------------
  auditd/bionic,now 1:2.8.2-1ubuntu1 amd64 [installed]
  libaudit-common/bionic,bionic,now 1:2.8.2-1ubuntu1 all [installed]
  libaudit1/bionic,now 1:2.8.2-1ubuntu1 amd64 [installed]
  +
  rsyslog/bionic,now 8.32.0-1ubuntu4 amd64 [installed,automatic]

  
  The first time I found a problem trying to reconfigure Auditd logging 
according to the recommendations:
  
https://serverfault.com/questions/792766/what-is-the-syslog-facility-for-auditd-logs
  When I found the problem, I checked its causes on the Rsyslog side on another 
server.
  It is confirmed that it is not associated with changes in the configuration 
of Auditd.

  
  Example of replication: 
  -----------------------
  1. Edit /etc/rsyslog.d/50-default.conf
  Insert strings for new log facility:
  *.*;auth,authpriv.none,cron.none,mail.none,local5.none,local6.none            
-/var/log/syslog
  ###
  ###*.*;auth,authpriv.none,cron.none,mail.none,local5.none             
-/var/log/syslog

  local6.*
  /var/log/audit/audit_syslog.log

  2. # systemctl restart rsyslog

  3. # systemctl restart auditd

  4. # systemctl status auditd
  ● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
     Active: active (running) since Fri 2020-03-13 18:12:32 MSK; 6s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 3211 ExecStartPost=/sbin/augenrules --load (code=exited, 
status=1/FAILURE)
    Process: 3183 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
   Main PID: 3186 (auditd)
      Tasks: 4 (limit: 4915)
     CGroup: /system.slice/auditd.service
             ├─3186 /sbin/auditd
             └─3190 /sbin/audispd

  Mar 13 18:12:32 uk1 augenrules[3211]: failure 1
  Mar 13 18:12:32 uk1 augenrules[3211]: pid 3186
  Mar 13 18:12:32 uk1 augenrules[3211]: rate_limit 0
  Mar 13 18:12:32 uk1 augenrules[3211]: backlog_limit 8192
  Mar 13 18:12:32 uk1 augenrules[3211]: lost 0
  Mar 13 18:12:32 uk1 augenrules[3211]: backlog 0
  Mar 13 18:12:32 uk1 augenrules[3211]: backlog_wait_time 0
  Mar 13 18:12:32 uk1 systemd[1]: Started Security Auditing Service.
  Mar 13 18:12:32 uk1 auditctl[3225]: There was an error in line 6 of 
/etc/audit/audit.rules
  Mar 13 18:12:32 uk1 audispd[3190]: node=uk1 type=SERVICE_START 
msg=audit(1584112352.783:142): pid=1 uid=0 auid=4294967295 ses=4294967295 
msg='unit=auditd comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? 
terminal=? res=success'

  
  But the main problem is that this failure cannot be fixed by deleting changes 
from the Rsyslog configuration file.
  It remains even after restarting the server!

  I have attached snippets of the system log.
  The first part corresponds to restarting the system after rolling back 
Rsyslog changes.
  The second part corresponds to the processes after the Auditd restart.

  In General, it looks like Auditd is working normally. Logs show its working 
status.
  But in the system status auditd is issued:
  ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)

  And this cannot be eliminated.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1867372/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to