auditd is enabled too late in the boot process
Bug #138737 reported by
Mathias Gug
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
audit (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Auditd can miss audit messages emitted by the kernel during the boot process because it's not enabled yet.
Related branches
To post a comment you must log in.
Example:
/var/log/ audit/audit. log :
type=DAEMON_START msg=audit( 1189451486. 028:5177) auditd start, ver=1.5.4, format=raw, auid=4294967295 pid=3838 res=success, auditd pid=3838 1189451486. 195:10) : audit_enabled=1 old=0 by auid=4294967295 res=1 1189451486. 195:11) : audit_backlog_ limit=320 old=64 by auid=4294967295 res=1
type=CONFIG_CHANGE msg=audit(
type=CONFIG_CHANGE msg=audit(
/var/log/kern.log:
Sep 10 15:11:26 gutsy-server kernel: [16032.940265] audit(118945148 4.195:3) : operation= "file_mmap" requested_mask="mr" denied_mask="m" name="/etc/passwd" pid=3808 profile= "/sbin/ syslogd" 4.195:4) : operation= "file_lock" requested_mask="k" denied_mask="k" name="/ var/run/ syslogd. pid" pid=3809 profile= "/sbin/ syslogd" 4.195:5) : operation= "file_lock" requested_mask="k" denied_mask="k" name="/ var/run/ syslogd. pid" pid=3809 profile= "/sbin/ syslogd" 4.195:6) : operation= "file_mmap" requested_mask="mr" denied_mask="m" name="/etc/group" pid=3809 profile= "/sbin/ syslogd" 4.195:7) : operation="capable" name="setgid" pid=3809 profile= "/sbin/ syslogd" 4.195:8) : operation="capable" name="setuid" pid=3809 profile= "/sbin/ syslogd" 5.695:9) : audit_pid=3838 old=0 by auid=4294967295
Sep 10 15:11:26 gutsy-server kernel: [16032.951959] audit(118945148
Sep 10 15:11:26 gutsy-server kernel: [16032.959242] audit(118945148
Sep 10 15:11:26 gutsy-server kernel: [16032.999285] process `syslogd' is using obsolete setsockopt SO_BSDCOMPAT
Sep 10 15:11:26 gutsy-server kernel: [16033.010586] audit(118945148
Sep 10 15:11:26 gutsy-server kernel: [16033.011228] audit(118945148
Sep 10 15:11:26 gutsy-server kernel: [16033.011303] audit(118945148
Sep 10 15:11:26 gutsy-server kernel: [16034.511066] audit(118945148