Re: Better error message in auditd wanted
Hello,
On Thursday, May 26, 2016 03:03:11 PM Christian Boltz wrote:
I'd like to ask for a more useful error message in auditd ;-)
If audit.log is world-readable (chmod 644 [1]), auditd refuses to start.
The problem is that it gives a completely useless error message when
doing that:
# systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor
preset: enabled) Active: failed (Result: exit-code) since Sa 2016-05-21
12:43:55 CEST; 4min 14s ago Process: 8656 ExecStartPost=/sbin/augenrules
--load (code=exited, status=0/SUCCESS) Process: 8654 ExecStart=/sbin/auditd
-n (code=exited, status=6)
Main PID: 8654 (code=exited, status=6)
Mai 21 12:43:55 tux systemd[1]: Starting Security Auditing Service...
Mai 21 12:43:55 tux systemd[1]: auditd.service: Main process exited,
code=exited, status=6/NOTCONFIGURED Mai 21 12:43:55 tux augenrules[8656]:
/sbin/augenrules: No change
Mai 21 12:43:55 tux augenrules[8656]: No rules
Mai 21 12:43:55 tux systemd[1]: Failed to start Security Auditing Service.
Mai 21 12:43:55 tux systemd[1]: auditd.service: Unit entered failed state.
Mai 21 12:43:55 tux systemd[1]: auditd.service: Failed with result
'exit-code'.
Exit status 6/NOTCONFIGURED is not really helpful and not even a
correct) information :-(
After searching around, reading the manpage etc. I tried to start auditd
manually in debug mode:
# auditd -f
Config file /etc/audit/auditd.conf opened for parsing log_file_parser called
with: /var/log/audit/audit.log /var/log/audit/audit.log permissions should
be 0600 or 0640
The audit daemon is exiting.
Now _that_ is a useful message and clearly states what the problem is.
Can you please change auditd so that it prints or logs this useful
message independent of the given parameters?
This is the code you are talking about:
https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L618
It is LOG_ERR, so it should be captured by syslog. Not sure what else can be
done.
-Steve
In case it matters: I'm using openSUSE Tumbleweed with audit
2.5.
Regards,
Christian Boltz
[1] I did that chmod to make testing of aa-logprof (part of the AppArmor
userspace tools) easier.
> I see no "do" in your script, so this will give you a "syntax error
> near unexpected token `done'" after shutdown ;-))
I've been hearing funny noises after shutdown, that must be it :-)
[> Christian Boltz and Chris Maaskant in opensuse]
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit