Better error message in auditd wanted

Better error message in auditd wanted

[Christian Boltz]

Hello,

I'd like to ask for a more useful error message in auditd ;-)

If audit.log is world-readable (chmod 644 [1]), auditd refuses to start.

The problem is that it gives a completely useless error message when 
doing that:

# systemctl status auditd.service 
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sa 2016-05-21 12:43:55 CEST; 4min 14s ago
  Process: 8656 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 8654 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 8654 (code=exited, status=6)

Mai 21 12:43:55 tux systemd[1]: Starting Security Auditing Service...
Mai 21 12:43:55 tux systemd[1]: auditd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
Mai 21 12:43:55 tux augenrules[8656]: /sbin/augenrules: No change
Mai 21 12:43:55 tux augenrules[8656]: No rules
Mai 21 12:43:55 tux systemd[1]: Failed to start Security Auditing Service.
Mai 21 12:43:55 tux systemd[1]: auditd.service: Unit entered failed state.
Mai 21 12:43:55 tux systemd[1]: auditd.service: Failed with result 'exit-code'.


Exit status 6/NOTCONFIGURED is not really helpful and not even a 
correct) information :-(

After searching around, reading the manpage etc. I tried to start auditd
manually in debug mode:


# auditd -f
Config file /etc/audit/auditd.conf opened for parsing log_file_parser called with: /var/log/audit/audit.log
/var/log/audit/audit.log permissions should be 0600 or 0640
The audit daemon is exiting.


Now _that_ is a useful message and clearly states what the problem is.

Can you please change auditd so that it prints or logs this useful 
message independent of the given parameters?


In case it matters: I'm using openSUSE Tumbleweed with audit 2.5.


Regards,

Christian Boltz

[1] I did that chmod to make testing of aa-logprof (part of the AppArmor 
    userspace tools) easier.

-- 
> I see no "do" in your script, so this will give you a "syntax error
> near unexpected token `done'" after shutdown ;-))
I've been hearing funny noises after shutdown, that must be it :-)
[> Christian Boltz and Chris Maaskant in opensuse]


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Better error message in auditd wanted

[Steve Grubb]

Hello,

On Thursday, May 26, 2016 03:03:11 PM Christian Boltz wrote:
> I'd like to ask for a more useful error message in auditd ;-)
> 
> If audit.log is world-readable (chmod 644 [1]), auditd refuses to start.
> 
> The problem is that it gives a completely useless error message when
> doing that:
> 
> # systemctl status auditd.service
> ● auditd.service - Security Auditing Service
>    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor
> preset: enabled) Active: failed (Result: exit-code) since Sa 2016-05-21
> 12:43:55 CEST; 4min 14s ago Process: 8656 ExecStartPost=/sbin/augenrules
> --load (code=exited, status=0/SUCCESS) Process: 8654 ExecStart=/sbin/auditd
> -n (code=exited, status=6)
>  Main PID: 8654 (code=exited, status=6)
> 
> Mai 21 12:43:55 tux systemd[1]: Starting Security Auditing Service...
> Mai 21 12:43:55 tux systemd[1]: auditd.service: Main process exited,
> code=exited, status=6/NOTCONFIGURED Mai 21 12:43:55 tux augenrules[8656]:
> /sbin/augenrules: No change
> Mai 21 12:43:55 tux augenrules[8656]: No rules
> Mai 21 12:43:55 tux systemd[1]: Failed to start Security Auditing Service.
> Mai 21 12:43:55 tux systemd[1]: auditd.service: Unit entered failed state.
> Mai 21 12:43:55 tux systemd[1]: auditd.service: Failed with result
> 'exit-code'.
> 
> 
> Exit status 6/NOTCONFIGURED is not really helpful and not even a
> correct) information :-(
> 
> After searching around, reading the manpage etc. I tried to start auditd
> manually in debug mode:
> 
> 
> # auditd -f
> Config file /etc/audit/auditd.conf opened for parsing log_file_parser called
> with: /var/log/audit/audit.log /var/log/audit/audit.log permissions should
> be 0600 or 0640
> The audit daemon is exiting.
> 
> 
> Now _that_ is a useful message and clearly states what the problem is.
> 
> Can you please change auditd so that it prints or logs this useful
> message independent of the given parameters?

This is the code you are talking about:
https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L618
 
It is LOG_ERR, so it should be captured by syslog. Not sure what else can be 
done.

-Steve


> In case it matters: I'm using openSUSE Tumbleweed with audit 2.5.
> 
> 
> Regards,
> 
> Christian Boltz
> 
> [1] I did that chmod to make testing of aa-logprof (part of the AppArmor
>     userspace tools) easier.
> 
> > I see no "do" in your script, so this will give you a "syntax error
> > near unexpected token `done'" after shutdown ;-))
> 
> I've been hearing funny noises after shutdown, that must be it :-)
> [> Christian Boltz and Chris Maaskant in opensuse]
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Better error message in auditd wanted

[Christian Boltz]

Hello,

Am Donnerstag, 26. Mai 2016, 10:54:43 CEST schrieb Steve Grubb:
> On Thursday, May 26, 2016 03:03:11 PM Christian Boltz wrote:
> > I'd like to ask for a more useful error message in auditd ;-)
> > 
> > If audit.log is world-readable (chmod 644 [1]), auditd refuses to
> > start.
> > 
> > The problem is that it gives a completely useless error message when
> > doing that:
> > 
> > # systemctl status auditd.service
> > ● auditd.service - Security Auditing Service
...
> > ExecStart=/sbin/auditd -n (code=exited, status=6)
...
> > Exit status 6/NOTCONFIGURED is not really helpful and not even a
> > correct) information :-(
> > 
> > After searching around, reading the manpage etc. I tried to start
> > auditd manually in debug mode:
> > 
> > 
> > # auditd -f
> > Config file /etc/audit/auditd.conf opened for parsing
> > log_file_parser called with: /var/log/audit/audit.log
> > /var/log/audit/audit.log permissions should be 0600 or 0640
> > The audit daemon is exiting.
> > 
> > 
> > Now _that_ is a useful message and clearly states what the problem
> > is.
> > 
> > Can you please change auditd so that it prints or logs this useful
> > message independent of the given parameters?
> 
> This is the code you are talking about:
> https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L618
> 
> It is LOG_ERR, so it should be captured by syslog. Not sure what else
> can be done.

You are right, the message is in syslog - but not in the 
    systemctl status auditd
output.


I just played a bit with the auditd.service file (with 644 file 
permissions on audit.log).

The original auditd.service as shipped in the openSUSE package has
    ExecStart=/sbin/auditd -n
and leads to the useless error message I reported.

I changed auditd.service to contain
    ExecStart=/sbin/auditd -f
which made the status output more verbose:

# systemctl restart auditd.service
Job for auditd.service failed because the control process exited with error code. See "systemctl status auditd.service" and "journalctl -xe" for details.

# systemctl status auditd.service
● auditd.service - Security Auditing Service
   Loaded: loaded (/etc/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Do 2016-05-26 17:16:46 CEST; 2s ago
  Process: 22254 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 22251 ExecStart=/sbin/auditd -f (code=exited, status=6)
 Main PID: 22251 (code=exited, status=6)

Mai 26 17:16:46 tux auditd[22251]: /var/log/audit/audit.log permissions should be 0600 or 0640
Mai 26 17:16:46 tux auditd[22251]: The audit daemon is exiting.
Mai 26 17:16:46 tux systemd[1]: Starting Security Auditing Service...
Mai 26 17:16:46 tux systemd[1]: auditd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
Mai 26 17:16:46 tux augenrules[22254]: /sbin/augenrules: No change
Mai 26 17:16:46 tux augenrules[22254]: No rules
Mai 26 17:16:46 tux systemd[1]: Failed to start Security Auditing Service.
Mai 26 17:16:46 tux systemd[1]: auditd.service: Unit entered failed state.
Mai 26 17:16:46 tux systemd[1]: auditd.service: Failed with result 'exit-code'.


For comparison, let me repeat the output with auditd -n:

# systemctl restart auditd.service 
Job for auditd.service failed because the control process exited with error code. See "systemctl status auditd.service" and "journalctl -xe" for details.

# systemctl status auditd.service 
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Do 2016-05-26 17:18:00 CEST; 2s ago
  Process: 22374 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 22370 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 22370 (code=exited, status=6)

Mai 26 17:18:00 tux systemd[1]: Starting Security Auditing Service...
Mai 26 17:18:00 tux augenrules[22374]: /sbin/augenrules: No change
Mai 26 17:18:00 tux augenrules[22374]: No rules
Mai 26 17:18:00 tux systemd[1]: auditd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
Mai 26 17:18:00 tux systemd[1]: Failed to start Security Auditing Service.
Mai 26 17:18:00 tux systemd[1]: auditd.service: Unit entered failed state.
Mai 26 17:18:00 tux systemd[1]: auditd.service: Failed with result 'exit-code'.


As you can see, the systemctl status output with -f has two more lines, 
and one of them is the message I want to see ;-)

The syslog contains the "permissions should be 600 or 640" with both
-f and -n, so this "only" affects the systemctl status output.

I'm afraid this has to do with systemd and journald interaction which
makes things more interesting[tm]. 

AFAIK systemd grabs STDERR output for systemctl status, which might 
explain why the additional log lines are visible when using -f.

However,  systemd and journald should also grab the syslog messages. 
I have no idea why this doesn't happen here - maybe you need to ask a 
systemd expert to clarify this.


For completeness: The complete auditd.service file (as shipped by the
openSUSE package) is:

# /usr/lib/systemd/system/auditd.service
[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
ConditionKernelCommandLine=!audit=0

[Service]
ExecStart=/sbin/auditd -n
## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
## and comment/delete the next line and uncomment the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target



Regards,

Christian Boltz
-- 
My concern is that Flash seems to be closer to Swiss cheese than
anything else. [Vahis in evergreen]


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit