Better error message in auditd wanted

Christian Boltz linux-audit at cboltz.de
Thu May 26 15:56:07 UTC 2016 

Hello,

Am Donnerstag, 26. Mai 2016, 10:54:43 CEST schrieb Steve Grubb:
> On Thursday, May 26, 2016 03:03:11 PM Christian Boltz wrote:
> > I'd like to ask for a more useful error message in auditd ;-)
> > 
> > If audit.log is world-readable (chmod 644 [1]), auditd refuses to
> > start.
> > 
> > The problem is that it gives a completely useless error message when
> > doing that:
> > 
> > # systemctl status auditd.service
> > ● auditd.service - Security Auditing Service
...
> > ExecStart=/sbin/auditd -n (code=exited, status=6)
...
> > Exit status 6/NOTCONFIGURED is not really helpful and not even a
> > correct) information :-(
> > 
> > After searching around, reading the manpage etc. I tried to start
> > auditd manually in debug mode:
> > 
> > 
> > # auditd -f
> > Config file /etc/audit/auditd.conf opened for parsing
> > log_file_parser called with: /var/log/audit/audit.log
> > /var/log/audit/audit.log permissions should be 0600 or 0640
> > The audit daemon is exiting.
> > 
> > 
> > Now _that_ is a useful message and clearly states what the problem
> > is.
> > 
> > Can you please change auditd so that it prints or logs this useful
> > message independent of the given parameters?
> 
> This is the code you are talking about:
> https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L618
> 
> It is LOG_ERR, so it should be captured by syslog. Not sure what else
> can be done.

You are right, the message is in syslog - but not in the 
    systemctl status auditd
output.


I just played a bit with the auditd.service file (with 644 file 
permissions on audit.log).

The original auditd.service as shipped in the openSUSE package has
    ExecStart=/sbin/auditd -n
and leads to the useless error message I reported.

I changed auditd.service to contain
    ExecStart=/sbin/auditd -f
which made the status output more verbose:

# systemctl restart auditd.service
Job for auditd.service failed because the control process exited with error code. See "systemctl status auditd.service" and "journalctl -xe" for details.

# systemctl status auditd.service
● auditd.service - Security Auditing Service
   Loaded: loaded (/etc/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Do 2016-05-26 17:16:46 CEST; 2s ago
  Process: 22254 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 22251 ExecStart=/sbin/auditd -f (code=exited, status=6)
 Main PID: 22251 (code=exited, status=6)

Mai 26 17:16:46 tux auditd[22251]: /var/log/audit/audit.log permissions should be 0600 or 0640
Mai 26 17:16:46 tux auditd[22251]: The audit daemon is exiting.
Mai 26 17:16:46 tux systemd[1]: Starting Security Auditing Service...
Mai 26 17:16:46 tux systemd[1]: auditd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
Mai 26 17:16:46 tux augenrules[22254]: /sbin/augenrules: No change
Mai 26 17:16:46 tux augenrules[22254]: No rules
Mai 26 17:16:46 tux systemd[1]: Failed to start Security Auditing Service.
Mai 26 17:16:46 tux systemd[1]: auditd.service: Unit entered failed state.
Mai 26 17:16:46 tux systemd[1]: auditd.service: Failed with result 'exit-code'.


For comparison, let me repeat the output with auditd -n:

# systemctl restart auditd.service 
Job for auditd.service failed because the control process exited with error code. See "systemctl status auditd.service" and "journalctl -xe" for details.

# systemctl status auditd.service 
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Do 2016-05-26 17:18:00 CEST; 2s ago
  Process: 22374 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 22370 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 22370 (code=exited, status=6)

Mai 26 17:18:00 tux systemd[1]: Starting Security Auditing Service...
Mai 26 17:18:00 tux augenrules[22374]: /sbin/augenrules: No change
Mai 26 17:18:00 tux augenrules[22374]: No rules
Mai 26 17:18:00 tux systemd[1]: auditd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
Mai 26 17:18:00 tux systemd[1]: Failed to start Security Auditing Service.
Mai 26 17:18:00 tux systemd[1]: auditd.service: Unit entered failed state.
Mai 26 17:18:00 tux systemd[1]: auditd.service: Failed with result 'exit-code'.


As you can see, the systemctl status output with -f has two more lines, 
and one of them is the message I want to see ;-)

The syslog contains the "permissions should be 600 or 640" with both
-f and -n, so this "only" affects the systemctl status output.

I'm afraid this has to do with systemd and journald interaction which
makes things more interesting[tm]. 

AFAIK systemd grabs STDERR output for systemctl status, which might 
explain why the additional log lines are visible when using -f.

However,  systemd and journald should also grab the syslog messages. 
I have no idea why this doesn't happen here - maybe you need to ask a 
systemd expert to clarify this.


For completeness: The complete auditd.service file (as shipped by the
openSUSE package) is:

# /usr/lib/systemd/system/auditd.service
[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
ConditionKernelCommandLine=!audit=0

[Service]
ExecStart=/sbin/auditd -n
## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
## and comment/delete the next line and uncomment the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target



Regards,

Christian Boltz
-- 
My concern is that Flash seems to be closer to Swiss cheese than
anything else. [Vahis in evergreen]

More information about the Linux-audit mailing list