Re: Problem running auditd on Raspberry Pi (fedora-server-24)

[Steve Grubb <sgrubb@redhat.com>]

On Saturday, October 1, 2016 5:47:47 PM EDT C.y wrote:
> Hi all,
> 
> 
> I have fedora-server-24 installed on my raspberry-pi-3, following the guide
> https://fedoraproject.org/wiki/Raspberry_Pi.
> 
> Once I get my raspberry pi boot up, there were error mentioning that "audit
> support not in kernel", which I believed were then resolved after I rebuild
> my kernel.
> 
> However, I got stuck when I tried to add rule using `auditctl` command as
> below:
> `# auditctl -w /etc/passwd -p wa -k passwd_changes`
> Error sending add rule data request (Invalid argument)

Hmm. I wonder if 'ausyscall open' gives you syscalls.

> I tried to search for solution but it lead me to a bug that were already
> been solved like years ago. Can anyone tell me if I am in the right way of
> getting auditd works on raspberry pi? Were the problem I've faced were
> already a known issue?
> 
> Below are my system information and some logs/details when I tried to
> diagnosis the problem and thanks a lot for your help in advance!
> 
> `# uname -a`
> Linux raspi3.lab 4.4.23-v7+ #2 SMP Sat Oct 1 15:24:41 CST 2016 armv7l
> armv7l armv7l GNU/Linux

I also wonder if we have a mismatch here. Is that armv seventy one or armv 
seven-el? Its coded in audit as seventy one.

-Steve

> `# modprobe configs ; gunzip -dc /proc/config.gz | grep AUDIT`
> CONFIG_AUDIT=y
> CONFIG_NETFILTER_XT_TARGET_AUDIT=m
> CONFIG_AUDIT_GENERIC=y
> # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
> 
> `# systemctl status auditd.service`
> ● auditd.service - Security Auditing Service
>    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor
> preset: enabled)
>    Active: active (running) since Fri 2016-02-12 00:28:07 CST; 7 months 19
> days ago
>   Process: 1553 ExecReload=/bin/kill -HUP $MAINPID (code=exited,
> status=0/SUCCESS)
>   Process: 279 ExecStartPost=/sbin/augenrules --load (code=exited,
> status=1/FAILURE)
> Main PID: 278 (auditd)
>    CGroup: /system.slice/auditd.service
>            └─278 /sbin/auditd -n
> 
> Oct 01 16:36:53 raspi3.lab auditd[278]: audit(1475311013.356:8458)
> op=reconfigure state=changed auid=4294967295 pid=-1 subj=? res=success
> Oct 01 16:36:53 raspi3.lab systemd[1]: Reloaded Security Auditing Service.
> Oct 01 16:37:28 raspi3.lab systemd[1]: Reloading Security Auditing Service.
> Oct 01 16:37:28 raspi3.lab auditd[278]: config change requested by pid=-1
> auid=4294967295 subj=?
> Oct 01 16:37:28 raspi3.lab auditd[278]: audit(1475311048.046:257)
> op=reconfigure state=changed auid=4294967295 pid=-1 subj=? res=success
> Oct 01 16:37:28 raspi3.lab systemd[1]: Reloaded Security Auditing Service.
> Oct 01 16:38:18 raspi3.lab systemd[1]: Reloading Security Auditing Service.
> Oct 01 16:38:18 raspi3.lab auditd[278]: config change requested by pid=-1
> auid=4294967295 subj=?
> Oct 01 16:38:18 raspi3.lab auditd[278]: audit(1475311098.716:2108)
> op=reconfigure state=changed auid=4294967295 pid=-1 subj=? res=success
> Oct 01 16:38:18 raspi3.lab systemd[1]: Reloaded Security Auditing Service.
> 
> While my `/var/log/audit/audit.log` was full with lines of "SERVICE_START"
> & "SERVICE_STOP"
> type=SERVICE_START msg=audit(1475313700.696:276): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=NetworkManager-dispatcher
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> type=SERVICE_STOP msg=audit(1475313710.836:277): pid=1 uid=0
> auid=4294967295 ses=4294967295 msg='unit=NetworkManager-dispatcher
> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> 
> 
> Sincerly,
> CHING YI.



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit