Bug#736843: linux-image-kirkwood: AUDITSYSCALL kernel option not set leads to inoperant auditd

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#736843: linux-image-kirkwood: AUDITSYSCALL kernel option not set leads to inoperant auditd
From: Julien Bresciani <julien.bresciani@free.fr>
Date: Mon, 27 Jan 2014 15:45:08 +0100
Message-id: <[🔎] 20140127144508.4496.99201.reportbug@qnap>
Reply-to: Julien Bresciani <julien.bresciani@free.fr>, 736843@bugs.debian.org

Package: linux-image-kirkwood
Severity: grave
Justification: renders package unusable



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: armel (armv5tel)

Kernel: Linux 3.11-2-kirkwood
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages linux-image-kirkwood depends on:
pn  linux-image-3.12-1-kirkwood  <none>

linux-image-kirkwood recommends no packages.

linux-image-kirkwood suggests no packages.


This bug is to my knowledge + what google told me about how is designed auditd

while issuing this command : sudo auditctl -w /etc/group -p wax -k mykey
auditctl returns this error : Error sending add rule data request (Invalid argument).
this basic command is accepted on other system i had under my hands (Ubuntu X86).
this error is documented over various old bug reports as being related to the activation of AUDITSYSCALL inside the kernel.
unfortunately, this option seems not being activated on ARM default kernel config

here are additional informations : 
I ve tried to force the audit parameter in cmdline.
 cat /proc/cmdline 
console=ttyS0,115200 root=/dev/ram audit=1 initrd=0xa00000,0x900000 ramdisk=32768

Here is the output of : grep -R AUDIT /boot/

/boot/config-3.11-2-kirkwood:CONFIG_AUDIT=y
/boot/config-3.11-2-kirkwood:# CONFIG_AUDIT_LOGINUID_IMMUTABLE is not set
/boot/config-3.11-2-kirkwood:CONFIG_NETFILTER_XT_TARGET_AUDIT=m
/boot/config-3.11-2-kirkwood:CONFIG_AUDIT_GENERIC=y

I m sticking to the 3.11-2 kernel since the 3.12-1 is unable to boot on my qnap TS219P.
I ve manually looked inside the 3.12 config file and AUDITSYSCALL is not enabled.

the same grep on my ubuntu laptop gives : 
/boot/config-3.11.0-15-generic:CONFIG_AUDIT=y
/boot/config-3.11.0-15-generic:CONFIG_AUDITSYSCALL=y
/boot/config-3.11.0-15-generic:CONFIG_AUDIT_WATCH=y
/boot/config-3.11.0-15-generic:CONFIG_AUDIT_TREE=y
/boot/config-3.11.0-15-generic:# CONFIG_AUDIT_LOGINUID_IMMUTABLE is not set
/boot/config-3.11.0-15-generic:CONFIG_NETFILTER_XT_TARGET_AUDIT=m
/boot/config-3.11.0-15-generic:CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
/boot/config-3.11.0-15-generic:CONFIG_INTEGRITY_AUDIT=y
/boot/config-3.11.0-15-generic:# CONFIG_KVM_MMU_AUDIT is not set
/boot/config-3.11.0-15-generic:CONFIG_AUDIT_GENERIC=y
where AUDITSYSCALL is present.


here is the full log output from the setup of auditd to the first tests I ve made : 

type=DAEMON_START msg=audit(1390813730.243:5532): auditd start, ver=2.3.3 format=raw kernel=3.11-2-kirkwood auid=4294967295 pid=11634 res=success
type=CONFIG_CHANGE msg=audit(1390813730.414:3): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295  res=1
type=DAEMON_CONFIG msg=audit(1390814101.409:8614) config changed, auid=4294967295 pid=-1 subj=? res=success
type=DAEMON_END msg=audit(1390815167.907:5533): auditd normal halt, sending auid=4294967295 pid=-1 subj=ernel=3.11-2-kirkwood auid=4294967295 pid=11634 res=success res=success
type=DAEMON_START msg=audit(1390822719.361:7372): auditd start, ver=2.3.3 format=raw kernel=3.11-2-kirkwood auid=4294967295 pid=2356 res=success
type=CONFIG_CHANGE msg=audit(1390822719.520:3): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295  res=1
type=NETFILTER_CFG msg=audit(1390822772.364:4): table=filter family=2 entries=0
type=NETFILTER_CFG msg=audit(1390822772.364:5): table=filter family=2 entries=4
type=NETFILTER_CFG msg=audit(1390822772.384:6): table=filter family=2 entries=6
type=NETFILTER_CFG msg=audit(1390822772.444:7): table=filter family=2 entries=7
type=DAEMON_CONFIG msg=audit(1390824671.126:8045) config changed, auid=4294967295 pid=-1 subj=? res=success
type=DAEMON_END msg=audit(1390824929.649:7373): auditd normal halt, sending auid=4294967295 pid=-1 subj=ernel=3.11-2-kirkwood auid=4294967295 pid=2356 res=success res=success
type=DAEMON_START msg=audit(1390824929.737:5417): auditd start, ver=2.3.3 format=raw kernel=3.11-2-kirkwood auid=4294967295 pid=5158 res=success
type=CONFIG_CHANGE msg=audit(1390824929.874:11): audit_backlog_limit=320 old=320 auid=4294967295 ses=4294967295  res=1
type=DAEMON_END msg=audit(1390824996.590:5418): auditd normal halt, sending auid=4294967295 pid=-1 subj=ernel=3.11-2-kirkwood auid=4294967295 pid=5158 res=success res=success

Reply to:

Follow-Ups:
- Bug#736843: linux-image-kirkwood: AUDITSYSCALL kernel option not set leads to inoperant auditd
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Processed: severity of 736811 is important
Next by Date: Processed: severity of 736843 is wishlist
Previous by thread: Processed: severity of 736811 is important
Next by thread: Bug#736843: linux-image-kirkwood: AUDITSYSCALL kernel option not set leads to inoperant auditd
Index(es):
- Date
- Thread