From: Christian Boltz <linux-audit@cboltz.de>
To: linux-audit@redhat.com
Subject: Better error message in auditd wanted
Date: Thu, 26 May 2016 15:03:11 +0200 [thread overview]
Message-ID: <9702820.CWonohP2Se@tux.boltz.de.vu> (raw)
Hello,
I'd like to ask for a more useful error message in auditd ;-)
If audit.log is world-readable (chmod 644 [1]), auditd refuses to start.
The problem is that it gives a completely useless error message when
doing that:
# systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sa 2016-05-21 12:43:55 CEST; 4min 14s ago
Process: 8656 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 8654 ExecStart=/sbin/auditd -n (code=exited, status=6)
Main PID: 8654 (code=exited, status=6)
Mai 21 12:43:55 tux systemd[1]: Starting Security Auditing Service...
Mai 21 12:43:55 tux systemd[1]: auditd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
Mai 21 12:43:55 tux augenrules[8656]: /sbin/augenrules: No change
Mai 21 12:43:55 tux augenrules[8656]: No rules
Mai 21 12:43:55 tux systemd[1]: Failed to start Security Auditing Service.
Mai 21 12:43:55 tux systemd[1]: auditd.service: Unit entered failed state.
Mai 21 12:43:55 tux systemd[1]: auditd.service: Failed with result 'exit-code'.
Exit status 6/NOTCONFIGURED is not really helpful and not even a
correct) information :-(
After searching around, reading the manpage etc. I tried to start auditd
manually in debug mode:
# auditd -f
Config file /etc/audit/auditd.conf opened for parsing log_file_parser called with: /var/log/audit/audit.log
/var/log/audit/audit.log permissions should be 0600 or 0640
The audit daemon is exiting.
Now _that_ is a useful message and clearly states what the problem is.
Can you please change auditd so that it prints or logs this useful
message independent of the given parameters?
In case it matters: I'm using openSUSE Tumbleweed with audit 2.5.
Regards,
Christian Boltz
[1] I did that chmod to make testing of aa-logprof (part of the AppArmor
userspace tools) easier.
--
> I see no "do" in your script, so this will give you a "syntax error
> near unexpected token `done'" after shutdown ;-))
I've been hearing funny noises after shutdown, that must be it :-)
[> Christian Boltz and Chris Maaskant in opensuse]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next reply other threads:[~2016-05-26 13:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-26 13:03 Christian Boltz [this message]
2016-05-26 14:54 ` Better error message in auditd wanted Steve Grubb
2016-05-26 15:56 ` Christian Boltz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9702820.CWonohP2Se@tux.boltz.de.vu \
--to=linux-audit@cboltz.de \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox