Ubuntu
audit package

auditd is enabled too late in the boot process

Bug #138737 reported by Mathias Gug on 2007-09-10

Affects		Status	Importance	Assigned to	Milestone
	audit (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Auditd can miss audit messages emitted by the kernel during the boot process because it's not enabled yet.

Related branches

lp:ubuntu/karmic/audit

Revision history for this message

Mathias Gug (mathiaz) wrote on 2007-09-10:

Example:

/var/log/audit/audit.log :

type=DAEMON_START msg=audit(1189451486.028:5177) auditd start, ver=1.5.4, format=raw, auid=4294967295 pid=3838 res=success, auditd pid=3838
type=CONFIG_CHANGE msg=audit(1189451486.195:10): audit_enabled=1 old=0 by auid=4294967295 res=1
type=CONFIG_CHANGE msg=audit(1189451486.195:11): audit_backlog_limit=320 old=64 by auid=4294967295 res=1

/var/log/kern.log:

Sep 10 15:11:26 gutsy-server kernel: [16032.940265] audit(1189451484.195:3): operation="file_mmap" requested_mask="mr" denied_mask="m" name="/etc/passwd" pid=3808 profile="/sbin/syslogd"
Sep 10 15:11:26 gutsy-server kernel: [16032.951959] audit(1189451484.195:4): operation="file_lock" requested_mask="k" denied_mask="k" name="/var/run/syslogd.pid" pid=3809 profile="/sbin/syslogd"
Sep 10 15:11:26 gutsy-server kernel: [16032.959242] audit(1189451484.195:5): operation="file_lock" requested_mask="k" denied_mask="k" name="/var/run/syslogd.pid" pid=3809 profile="/sbin/syslogd"
Sep 10 15:11:26 gutsy-server kernel: [16032.999285] process `syslogd' is using obsolete setsockopt SO_BSDCOMPAT
Sep 10 15:11:26 gutsy-server kernel: [16033.010586] audit(1189451484.195:6): operation="file_mmap" requested_mask="mr" denied_mask="m" name="/etc/group" pid=3809 profile="/sbin/syslogd"
Sep 10 15:11:26 gutsy-server kernel: [16033.011228] audit(1189451484.195:7): operation="capable" name="setgid" pid=3809 profile="/sbin/syslogd"
Sep 10 15:11:26 gutsy-server kernel: [16033.011303] audit(1189451484.195:8): operation="capable" name="setuid" pid=3809 profile="/sbin/syslogd"
Sep 10 15:11:26 gutsy-server kernel: [16034.511066] audit(1189451485.695:9): audit_pid=3838 old=0 by auid=4294967295

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-01-29:

This bug was fixed in the package audit - 1.6.5-0ubuntu2

---------------
audit (1.6.5-0ubuntu2) hardy; urgency=low

  * debian/rules:
    - Start audit daemon just after the filesystems have been mounted.
      (LP: #138737).
  * debian/auditd.postinst:
    - Remove old rc links now that auditd is started in rcS.d/.

-- Mathias Gug <email address hidden> Mon, 28 Jan 2008 22:59:08 -0500

Changed in audit:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuaudit package