Re: Better error message in auditd wanted

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Christian Boltz <linux-audit@cboltz.de>
Subject: Re: Better error message in auditd wanted
Date: Thu, 26 May 2016 10:54:43 -0400	[thread overview]
Message-ID: <1919045.4D9BsBxTjm@x2> (raw)
In-Reply-To: <9702820.CWonohP2Se@tux.boltz.de.vu>

Hello,

On Thursday, May 26, 2016 03:03:11 PM Christian Boltz wrote:
> I'd like to ask for a more useful error message in auditd ;-)
> 
> If audit.log is world-readable (chmod 644 [1]), auditd refuses to start.
> 
> The problem is that it gives a completely useless error message when
> doing that:
> 
> # systemctl status auditd.service
> ● auditd.service - Security Auditing Service
>    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor
> preset: enabled) Active: failed (Result: exit-code) since Sa 2016-05-21
> 12:43:55 CEST; 4min 14s ago Process: 8656 ExecStartPost=/sbin/augenrules
> --load (code=exited, status=0/SUCCESS) Process: 8654 ExecStart=/sbin/auditd
> -n (code=exited, status=6)
>  Main PID: 8654 (code=exited, status=6)
> 
> Mai 21 12:43:55 tux systemd[1]: Starting Security Auditing Service...
> Mai 21 12:43:55 tux systemd[1]: auditd.service: Main process exited,
> code=exited, status=6/NOTCONFIGURED Mai 21 12:43:55 tux augenrules[8656]:
> /sbin/augenrules: No change
> Mai 21 12:43:55 tux augenrules[8656]: No rules
> Mai 21 12:43:55 tux systemd[1]: Failed to start Security Auditing Service.
> Mai 21 12:43:55 tux systemd[1]: auditd.service: Unit entered failed state.
> Mai 21 12:43:55 tux systemd[1]: auditd.service: Failed with result
> 'exit-code'.
> 
> 
> Exit status 6/NOTCONFIGURED is not really helpful and not even a
> correct) information :-(
> 
> After searching around, reading the manpage etc. I tried to start auditd
> manually in debug mode:
> 
> 
> # auditd -f
> Config file /etc/audit/auditd.conf opened for parsing log_file_parser called
> with: /var/log/audit/audit.log /var/log/audit/audit.log permissions should
> be 0600 or 0640
> The audit daemon is exiting.
> 
> 
> Now _that_ is a useful message and clearly states what the problem is.
> 
> Can you please change auditd so that it prints or logs this useful
> message independent of the given parameters?

This is the code you are talking about:
https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L618

It is LOG_ERR, so it should be captured by syslog. Not sure what else can be 
done.

-Steve

> In case it matters: I'm using openSUSE Tumbleweed with audit 2.5.
> 
> 
> Regards,
> 
> Christian Boltz
> 
> [1] I did that chmod to make testing of aa-logprof (part of the AppArmor
>     userspace tools) easier.
> 
> > I see no "do" in your script, so this will give you a "syntax error
> > near unexpected token `done'" after shutdown ;-))
> 
> I've been hearing funny noises after shutdown, that must be it :-)
> [> Christian Boltz and Chris Maaskant in opensuse]
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit