10:56 a.m.
Hello,
Am Donnerstag, 26. Mai 2016, 10:54:43 CEST schrieb Steve Grubb:
On Thursday, May 26, 2016 03:03:11 PM Christian Boltz wrote:
> I'd like to ask for a more useful error message in auditd ;-)
>
> If audit.log is world-readable (chmod 644 [1]), auditd refuses to
> start.
>
> The problem is that it gives a completely useless error message when
> doing that:
>
> # systemctl status auditd.service
> ● auditd.service - Security Auditing Service
...
> ExecStart=/sbin/auditd -n (code=exited, status=6)
...
> Exit status 6/NOTCONFIGURED is not really helpful and not even
a
> correct) information :-(
>
> After searching around, reading the manpage etc. I tried to start
> auditd manually in debug mode:
>
>
> # auditd -f
> Config file /etc/audit/auditd.conf opened for parsing
> log_file_parser called with: /var/log/audit/audit.log
> /var/log/audit/audit.log permissions should be 0600 or 0640
> The audit daemon is exiting.
>
>
> Now _that_ is a useful message and clearly states what the problem
> is.
>
> Can you please change auditd so that it prints or logs this useful
> message independent of the given parameters?
This is the code you are talking about:
https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L618
It is LOG_ERR, so it should be captured by syslog. Not sure what else
can be done.
You are right, the message is in syslog - but not in the
systemctl status auditd
output.
I just played a bit with the auditd.service file (with 644 file
permissions on audit.log).
The original auditd.service as shipped in the openSUSE package has
ExecStart=/sbin/auditd -n
and leads to the useless error message I reported.
I changed auditd.service to contain
ExecStart=/sbin/auditd -f
which made the status output more verbose:
# systemctl restart auditd.service
Job for auditd.service failed because the control process exited with error code. See
"systemctl status auditd.service" and "journalctl -xe" for details.
# systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/etc/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Do 2016-05-26 17:16:46 CEST; 2s ago
Process: 22254 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 22251 ExecStart=/sbin/auditd -f (code=exited, status=6)
Main PID: 22251 (code=exited, status=6)
Mai 26 17:16:46 tux auditd[22251]: /var/log/audit/audit.log permissions should be 0600 or
0640
Mai 26 17:16:46 tux auditd[22251]: The audit daemon is exiting.
Mai 26 17:16:46 tux systemd[1]: Starting Security Auditing Service...
Mai 26 17:16:46 tux systemd[1]: auditd.service: Main process exited, code=exited,
status=6/NOTCONFIGURED
Mai 26 17:16:46 tux augenrules[22254]: /sbin/augenrules: No change
Mai 26 17:16:46 tux augenrules[22254]: No rules
Mai 26 17:16:46 tux systemd[1]: Failed to start Security Auditing Service.
Mai 26 17:16:46 tux systemd[1]: auditd.service: Unit entered failed state.
Mai 26 17:16:46 tux systemd[1]: auditd.service: Failed with result 'exit-code'.
For comparison, let me repeat the output with auditd -n:
# systemctl restart auditd.service
Job for auditd.service failed because the control process exited with error code. See
"systemctl status auditd.service" and "journalctl -xe" for details.
# systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset:
enabled)
Active: failed (Result: exit-code) since Do 2016-05-26 17:18:00 CEST; 2s ago
Process: 22374 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 22370 ExecStart=/sbin/auditd -n (code=exited, status=6)
Main PID: 22370 (code=exited, status=6)
Mai 26 17:18:00 tux systemd[1]: Starting Security Auditing Service...
Mai 26 17:18:00 tux augenrules[22374]: /sbin/augenrules: No change
Mai 26 17:18:00 tux augenrules[22374]: No rules
Mai 26 17:18:00 tux systemd[1]: auditd.service: Main process exited, code=exited,
status=6/NOTCONFIGURED
Mai 26 17:18:00 tux systemd[1]: Failed to start Security Auditing Service.
Mai 26 17:18:00 tux systemd[1]: auditd.service: Unit entered failed state.
Mai 26 17:18:00 tux systemd[1]: auditd.service: Failed with result 'exit-code'.
As you can see, the systemctl status output with -f has two more lines,
and one of them is the message I want to see ;-)
The syslog contains the "permissions should be 600 or 640" with both
-f and -n, so this "only" affects the systemctl status output.
I'm afraid this has to do with systemd and journald interaction which
makes things more interesting[tm].
AFAIK systemd grabs STDERR output for systemctl status, which might
explain why the additional log lines are visible when using -f.
However, systemd and journald should also grab the syslog messages.
I have no idea why this doesn't happen here - maybe you need to ask a
systemd expert to clarify this.
For completeness: The complete auditd.service file (as shipped by the
openSUSE package) is:
# /usr/lib/systemd/system/auditd.service
[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
ConditionKernelCommandLine=!audit=0
[Service]
ExecStart=/sbin/auditd -n
## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
## and comment/delete the next line and uncomment the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
Regards,
Christian Boltz
--
My concern is that Flash seems to be closer to Swiss cheese than
anything else. [Vahis in evergreen]