Bug#1111161: auditd: Arm64 arch cannot load rules related to file watch

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1111161: auditd: Arm64 arch cannot load rules related to file watch
From: Milton Yates <nuo23fbl2@mozmail.com>
Date: Fri, 15 Aug 2025 18:06:09 +1000
Message-id: <[🔎] 175524516972.3583.18404575905945727711.reportbug@Deb13-arm-test.apxium.com>
Reply-to: Milton Yates <nuo23fbl2@mozmail.com>, 1111161@bugs.debian.org

Package: auditd
Version: 1:v4.0.2-2+b2
Severity: important
X-Debbugs-Cc: debian-arm@lists.debian.org, nuo23fbl2@mozmail.com
User: debian-arm@lists.debian.org
Usertags: arm64

Dear Maintainer,

There is a bug in the v4.0.2 of auditd, which has been solved in v4.0.4 onwards.
This renders certain standard rules unusable on aarch64.


   * What led up to the situation?

Loading standard auditd rules which work on Deb12/arm64 and deb13/x86-64
Any rule with a `-F path=` or `-F dir=` on aarch64 will trigger this bug,
causing other rules to fail to load.

This is due to a bug in the v4.0.2 auditd on aarch64, since fixed upstream.

Sample rules from the auditd repo will trigger this. See:
https://github.com/linux-audit/audit-userspace/blob/1006f10592a44380591a069bc957b0f1874ce9d4/rules/30-pci-dss-v31.rules#L38

This has been solved upstream in https://github.com/linux-audit/audit-userspace/pull/426, and included in the v4.0.4 Release of auditd.

See a full upstream bug report for this issue:
https://github.com/linux-audit/audit-userspace/issues/496


   * What exactly did you do (or not do) that was effective (or
     ineffective)?

I installled the v4.0.5 version of auditd from debian-testing (forky).

   * What was the outcome of this action?

This solved the problem, and stopped the error messages, and the rules now load correctly.


   * What outcome did you expect instead?

I expected the rules-loader in -stable to load rules correctly, without needing to install packages from -testing.




-- System Information:
Debian Release: 13.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'testing')
Architecture: arm64 (aarch64)

Kernel: Linux 6.12.41+deb13-cloud-arm64 (SMP w/2 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages auditd depends on:
ii  init-system-helpers  1.68
ii  libaudit1            1:4.0.5-1
ii  libauparse0t64       1:4.0.5-1
ii  libc6                2.41-12
ii  libcap-ng0           0.8.5-4+b1
ii  libgssapi-krb5-2     1.21.3-5
ii  libkrb5-3            1.21.3-5
ii  libwrap0             7.6.q-36
ii  mawk                 1.3.4.20250131-1

auditd recommends no packages.

Versions of packages auditd suggests:
pn  audispd-plugins  <none>

-- Configuration Files:
/etc/audit/audisp-filter.conf [Errno 13] Permission denied: '/etc/audit/audisp-filter.conf'
/etc/audit/audit-stop.rules [Errno 13] Permission denied: '/etc/audit/audit-stop.rules'
/etc/audit/auditd.conf [Errno 13] Permission denied: '/etc/audit/auditd.conf'
/etc/audit/plugins.d/af_unix.conf [Errno 13] Permission denied: '/etc/audit/plugins.d/af_unix.conf'
/etc/audit/plugins.d/filter.conf [Errno 13] Permission denied: '/etc/audit/plugins.d/filter.conf'
/etc/audit/plugins.d/syslog.conf [Errno 13] Permission denied: '/etc/audit/plugins.d/syslog.conf'
/etc/audit/rules.d/audit.rules [Errno 13] Permission denied: '/etc/audit/rules.d/audit.rules'

-- no debconf information

Reply to:

Prev by Date: Bug#1111010: release.debian.org: phase out armel for forky
Next by Date: Bug#1111406: neochat: FTBFS on armhf: cc1plus: out of memory allocating 150780108 bytes after a total of 1091633152 bytes
Previous by thread: Re: Bug#1111010: release.debian.org: phase out armel for forky
Next by thread: Bug#1111406: neochat: FTBFS on armhf: cc1plus: out of memory allocating 150780108 bytes after a total of 1091633152 bytes
Index(es):
- Date
- Thread