Better error message in auditd wanted

Christian Boltz linux-audit at cboltz.de
Thu May 26 13:03:11 UTC 2016 

Hello,

I'd like to ask for a more useful error message in auditd ;-)

If audit.log is world-readable (chmod 644 [1]), auditd refuses to start.

The problem is that it gives a completely useless error message when 
doing that:

# systemctl status auditd.service 
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sa 2016-05-21 12:43:55 CEST; 4min 14s ago
  Process: 8656 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 8654 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 8654 (code=exited, status=6)

Mai 21 12:43:55 tux systemd[1]: Starting Security Auditing Service...
Mai 21 12:43:55 tux systemd[1]: auditd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
Mai 21 12:43:55 tux augenrules[8656]: /sbin/augenrules: No change
Mai 21 12:43:55 tux augenrules[8656]: No rules
Mai 21 12:43:55 tux systemd[1]: Failed to start Security Auditing Service.
Mai 21 12:43:55 tux systemd[1]: auditd.service: Unit entered failed state.
Mai 21 12:43:55 tux systemd[1]: auditd.service: Failed with result 'exit-code'.


Exit status 6/NOTCONFIGURED is not really helpful and not even a 
correct) information :-(

After searching around, reading the manpage etc. I tried to start auditd
manually in debug mode:


# auditd -f
Config file /etc/audit/auditd.conf opened for parsing log_file_parser called with: /var/log/audit/audit.log
/var/log/audit/audit.log permissions should be 0600 or 0640
The audit daemon is exiting.


Now _that_ is a useful message and clearly states what the problem is.

Can you please change auditd so that it prints or logs this useful 
message independent of the given parameters?


In case it matters: I'm using openSUSE Tumbleweed with audit 2.5.


Regards,

Christian Boltz

[1] I did that chmod to make testing of aa-logprof (part of the AppArmor 
    userspace tools) easier.

-- 
> I see no "do" in your script, so this will give you a "syntax error
> near unexpected token `done'" after shutdown ;-))
I've been hearing funny noises after shutdown, that must be it :-)
[> Christian Boltz and Chris Maaskant in opensuse]

More information about the Linux-audit mailing list