Fixed
Created: Jul 31, 2023
Updated: Sep 27, 2023
Resolved Date: Sep 20, 2023
Found In Version: 10.23.30.1
Fix Version: 10.23.30.2
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Userspace
add audit rule fail on qemuarm.
root@qemuarm:~# cp /etc/audit/auditd.conf cp /etc/audit/auditd.conf.bak
cp: target '/etc/audit/auditd.conf.bak': No such file or directory
root@qemuarm:~# cp /etc/audit/auditd.conf /etc/audit/auditd.conf.bak
root@qemuarm:~# cp /etc/audit/audit.rules /etc/audit/audit.rules.bak
root@qemuarm:~# echo -e '-D\n-b 320\n-f 1\n-e 1' > /etc/audit/audit.rules
root@qemuarm:~# echo "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime64 -k TEST-time-change
> -w /etc/group -p wa -k TEST-identity-a
> -w /etc/passwd -p wa -k TEST-identity-b
> -w /etc/gshadow -p wa -k TEST-identity-c
> -w /etc/shadow -p wa -k TEST-identity-d
> -a exit,always -F arch=b32 -S sethostname -S setdomainname -k TEST-system-locale-a
> -w /etc/issue -p rwa -k TEST-system-locale-b
> -w /etc/issue.net -p rwa -k TEST-system-locale-c
> -w /etc/hosts -p wa -k TEST-system-locale-d
> -w /etc/network/ -p wa -k TEST-system-locale-e
> -w /var/log/lastlog -p wa -k TEST-logins
> -w /var/run/utmp -p wa -k TEST-session-a
> -w /var/log/wtmp -p wa -k TEST-session-b
> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F uid=0 -k TEST-perm_mod-a
> -a always,exit -F arch=b32 -S chown32 -S fchown32 -S fchownat -S lchown32 -F uid=0 -k TEST-perm_mod-b
> -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k TEST-access
> -a always,exit -F arch=b32 -S mount -F uid=0 -k TEST-export
> -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F uid=0 -k TEST-deletion
> -w /etc/sudoers -p wa -k TEST-sudo" >> /etc/audit/audit.rules
root@qemuarm:~# cat /etc/audit/audit.rules
-D
-b 320
-f 1
-e 1
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime64 -k TEST-time-change
-w /etc/group -p wa -k TEST-identity-a
-w /etc/passwd -p wa -k TEST-identity-b
-w /etc/gshadow -p wa -k TEST-identity-c
-w /etc/shadow -p wa -k TEST-identity-d
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k TEST-system-locale-a
-w /etc/issue -p rwa -k TEST-system-locale-b
-w /etc/issue.net -p rwa -k TEST-system-locale-c
-w /etc/hosts -p wa -k TEST-system-locale-d
-w /etc/network/ -p wa -k TEST-system-locale-e
-w /var/log/lastlog -p wa -k TEST-logins
-w /var/run/utmp -p wa -k TEST-session-a
-w /var/log/wtmp -p wa -k TEST-session-b
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F uid=0 -k TEST-perm_mod-a
-a always,exit -F arch=b32 -S chown32 -S fchown32 -S fchownat -S lchown32 -F uid=0 -k TEST-perm_mod-b
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k TEST-access
-a always,exit -F arch=b32 -S mount -F uid=0 -k TEST-export
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F uid=0 -k TEST-deletion
-w /etc/sudoers -p wa -k TEST-sudo
root@qemuarm:~# systemctl status audit
Unit audit.service could not be found.
root@qemuarm:~# systemctl status auditd
* auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/system/auditd.service; enabled; preset: enabled)
Active: active (running) since Mon 2023-07-31 08:31:27 UTC; 3min 45s ago
Process: 237 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Process: 248 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
Main PID: 245 (auditd)
Tasks: 2 (limit: 4813)
Memory: 748.0K
CGroup: /system.slice/auditd.service
`-245 /sbin/auditd
Jul 31 08:31:27 qemuarm auditctl[248]: enabled 1
Jul 31 08:31:27 qemuarm auditctl[248]: failure 1
Jul 31 08:31:27 qemuarm auditctl[248]: pid 245
Jul 31 08:31:27 qemuarm auditctl[248]: rate_limit 0
Jul 31 08:31:27 qemuarm auditctl[248]: backlog_limit 8192
Jul 31 08:31:27 qemuarm auditctl[248]: lost 0
Jul 31 08:31:27 qemuarm auditctl[248]: backlog 0
Jul 31 08:31:27 qemuarm auditctl[248]: backlog_wait_time 60000
Jul 31 08:31:27 qemuarm auditctl[248]: backlog_wait_time_actual 0
Jul 31 08:31:27 qemuarm systemd[1]: Started Security Auditing Service.
root@qemuarm:~# systemctl stop auditd
[ 259.580869] audit: type=1305 audit(1690792519.330:25): op=set audit_pid=0 old=245 auid=4294967295 ses=4294967295 res=1
root@qemuarm:~# systemctl start auditd
[ 264.800895] audit: type=1305 audit(1690792524.550:26): op=set audit_enabled=1 old=1 auid=4294967295 ses=4294967295 res=1
After restart, no rules listed
root@qemuarm:~# auditctl -l
No rules
Try to read audit.rules, still no rules listed.
root@qemuarm:~# auditctl -R /etc/audit/audit.rules
No rules
enabled 1
failure 1
pid 1917
rate_limit 0
backlog_limit 320
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 1917
rate_limit 0
backlog_limit 320
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 1917
rate_limit 0
backlog_limit 320
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
Error sending add rule data request (Invalid argument)
There was an error in line 5 of /etc/audit/audit.rules
root@qemuarm:~# auditctl -l
No rules
Same operation work well on other BSP:
[http://pek-lpgtest3.wrs.com/lpg-build/cdc/publiclog/WRLinux1023/S230718_LTS23/2023WW30/GIT_20230729/Userspace/qemux86-64_standard_glibc-std/qemux86-64_OE_systemd/audit/target_lxqemu_11.platform_B0E1R0_20230729_214753.log]
Please refer to the steps in 'Description'.
root@qemuarm:~# cp /etc/audit/auditd.conf /etc/audit/auditd.conf.bak
root@qemuarm:~# cp /etc/audit/audit.rules /etc/audit/audit.rules.bak
root@qemuarm:~# echo -e '-D\n-b 320\n-f 1\n-e 1' > /etc/audit/audit.rules
root@qemuarm:~# echo "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime64 -k TEST-time-change
-w /etc/group -p wa -k TEST-identity-a
-w /etc/passwd -p wa -k TEST-identity-b
-w /etc/gshadow -p wa -k TEST-identity-c
-w /etc/shadow -p wa -k TEST-identity-d
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k TEST-system-locale-a
-w /etc/issue -p rwa -k TEST-system-locale-b
-w /etc/issue.net -p rwa -k TEST-system-locale-c
-w /etc/hosts -p wa -k TEST-system-locale-d
-w /etc/network/ -p wa -k TEST-system-locale-e
-w /var/log/lastlog -p wa -k TEST-logins
-w /var/run/utmp -p wa -k TEST-session-a
-w /var/log/wtmp -p wa -k TEST-session-b
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F uid=0 -k TEST-perm_mod-a
-a always,exit -F arch=b32 -S chown32 -S fchown32 -S fchownat -S lchown32 -F uid=0 -k TEST-perm_mod-b
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k TEST-access
-a always,exit -F arch=b32 -S mount -F uid=0 -k TEST-export
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F uid=0 -k TEST-deletion
-w /etc/sudoers -p wa -k TEST-sudo" >> /etc/audit/audit.rules
root@qemuarm:~# auditctl -R /etc/audit/audit.rules
root@qemuarm:~# auditctl -l
