Bug 32616

Summary: audit need be updated for 6.5 kernel
Product: Mageia Reporter: Morgan Leijström <fri>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: ghibomgx, marja11, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://github.com/linux-audit/audit-userspace/releases https://forums.mageia.org/en/viewtopic.php?t=15175
Whiteboard: MGA9-64-OK
Source RPM: audit-3.1.1-1.mga9.x86_64 CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 32813    

Description Morgan Leijström 2023-12-11 14:53:47 CET 
Description of problem:
Need updated lookup tables for the 6.5 kernel.
3.1.2 also contain other fixes.
3.1.2 is in Cauldron.

Version-Release number of selected component:
audit-3.1.1-1.mga9

How reproducible:
I.e I suppose https://forums.mageia.org/en/viewtopic.php?t=15175

No registered maintainer, setting to all.
Nicolas Salguero 2024-02-14 11:15:52 CET

Depends on: (none) => 32813

Comment 1 Nicolas Salguero 2024-02-15 14:41:36 CET 
Suggested advisory:
========================

The updated packages fix compatibility with kernels 6.5+.

References:
https://forums.mageia.org/en/viewtopic.php?t=15175
========================

Updated packages in core/updates_testing:
========================
audit-3.1.2-1.mga9
audispd-plugins-3.1.2-1.mga9
audispd-plugins-zos-3.1.2-1.mga9
lib(64)audit1-3.1.2-1.mga9
lib(64)audit-devel-3.1.2-1.mga9
lib(64)auparse0-3.1.2-1.mga9
lib(64)auparse-devel-3.1.2-1.mga9
python3-audit-3.1.2-1.mga9

from SRPM:
audit-3.1.2-1.mga9.src.rpm

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Depends on: 32813 => (none)
Blocks: (none) => 32813

Comment 2 Len Lawrence 2024-02-17 17:21:47 CET 
Mageia9, x86_64

$ sudo auditctl -v
Error - audit support not in kernel
Cannot open netlink audit socket

Same before and after update with kernel 6.6.14-desktop-2.mga9.

Afterwards:
$ rpm -q audit
audit-3.1.2-1.mga9
$ sudo systemctl start auditd
$ sudo systemctl status auditd
○ auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
     Active: inactive (dead)
  Condition: start condition failed at Sat 2024-02-17 15:53:25 GMT; 22s ago
             └─ ConditionKernelCommandLine=!audit=0 was not met
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation

Feb 17 15:36:28 yildun systemd[1]: auditd.service was skipped because of an unmet condition check (ConditionKernelCommandLine=!audit=0).

CC: (none) => tarazed25

Comment 3 Len Lawrence 2024-02-17 17:30:28 CET 
# auditctl -e 1
Error - audit support not in kernel
Cannot open netlink audit socket
Marja Van Waes 2024-02-17 17:37:51 CET

CC: (none) => marja11
URL: https://github.com/linux-audit/audit-userspace/releases => https://github.com/linux-audit/audit-userspace/releases https://forums.mageia.org/en/viewtopic.php?t=15175

Len Lawrence 2024-02-18 00:36:05 CET

Keywords: (none) => advisory, feedback

katnatek 2024-02-18 03:00:42 CET

CC: (none) => ghibomgx

Comment 4 katnatek 2024-02-18 03:01:59 CET 
Giuseppe did kernel 6.6 have audit support?
(In reply to Len Lawrence from comment #3)
> # auditctl -e 1
> Error - audit support not in kernel
> Cannot open netlink audit socket
Comment 5 katnatek 2024-02-18 03:05:35 CET 
(In reply to katnatek from comment #4)
> Giuseppe did kernel 6.6 have audit support?
> (In reply to Len Lawrence from comment #3)
> > # auditctl -e 1
> > Error - audit support not in kernel
> > Cannot open netlink audit socket

I guess yes

zgrep AUD /boot/config-6.6.14-desktop-2.mga9
CONFIG_AUDIT=y
Comment 6 katnatek 2024-02-18 03:06:13 CET 
zgrep AUDIT /boot/config-6.6.14-desktop-2.mga9
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_ARCH=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_DM_AUDIT=y
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
CONFIG_INTEGRITY_AUDIT=y
Comment 7 katnatek 2024-02-18 03:10:33 CET 
From archwiki https://wiki.archlinux.org/title/Audit_framework

Audit can be enabled at boot-time by setting audit=1

I reboot and test again
Comment 8 katnatek 2024-02-18 03:33:43 CET 
something is broken

cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.6.14-desktop-2.mga9 root=UUID=a0cc43c0-b94e-44c7-8ca9-0a69cb6f7053 ro splash quiet noiswmd resume=UUID=ac50cb2a-7731-479b-94f1-e90cc4f90106 audit=0 vga=791 audit=1

systemctl start auditd

systemctl status auditd
○ auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; preset: enabled)
     Active: inactive (dead)
  Condition: start condition failed at Sat 2024-02-17 20:29:09 CST; 4s ago
             └─ ConditionKernelCommandLine=!audit=0 was not met
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation

feb 17 20:29:09 phoenix systemd[1]: auditd.service was skipped because of an unmet condition check (ConditionKernelCommandLine=!audit>
Comment 9 katnatek 2024-02-18 03:42:17 CET 
Not broken, just too strict 

cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.6.14-desktop-2.mga9 root=UUID=a0cc43c0-b94e-44c7-8ca9-0a69cb6f7053 ro splash quiet noiswmd resume=UUID=ac50cb2a-7731-479b-94f1-e90cc4f90106 audit=1 vga=791

systemctl status auditd
○ auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; preset: enabled)
     Active: inactive (dead)
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation

auditctl -v
auditctl version 3.1.2

Just take care of change the audit=0 by audit=1 in the kernel options https://wiki.mageia.org/en/How_to_set_up_kernel_options because not works add audit=1 at the end
katnatek 2024-02-18 03:43:13 CET

CC: ghibomgx => (none)

katnatek 2024-02-18 03:43:34 CET

Keywords: feedback => (none)

Comment 10 katnatek 2024-02-18 03:45:10 CET 
systemctl start auditd
systemctl status auditd
● auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; preset: enabled)
     Active: active (running) since Sat 2024-02-17 20:44:16 CST; 3s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 49629 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 49633 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 49630 (auditd)
      Tasks: 2 (limit: 11728)
     Memory: 1.3M
        CPU: 51ms
     CGroup: /system.slice/auditd.service
             └─49630 /sbin/auditd

feb 17 20:44:16 phoenix systemd[1]: Starting auditd.service...
feb 17 20:44:16 phoenix auditd[49630]: No plugins found, not dispatching events
feb 17 20:44:16 phoenix auditd[49630]: Init complete, auditd 3.1.2 listening for events (startup state enable)
feb 17 20:44:16 phoenix systemd[1]: Started auditd.service.
Comment 11 Giuseppe Ghibò 2024-02-18 12:24:59 CET 
audit need to be explicitely enabled by audit=1.

Check also in /proc/cmdline you don't have already audit=0 and if case revert to audit=1 if you want audit (it's not said that such options are addictive, so that the latest audit=1 cancels a previous audit=0).

BTW, there is also audit-4.0 out which is the latest release, maybe worthwhile to upgrade (maybe before in cauldron, since audit-4.0 requires several changes to the SPEC file other than bumping the version number).

CC: (none) => ghibomgx

Comment 12 Giuseppe Ghibò 2024-02-18 12:35:00 CET 
(In reply to Giuseppe Ghibò from comment #11)

> audit need to be explicitely enabled by audit=1.
> 
> Check also in /proc/cmdline you don't have already audit=0 and if case
> revert to audit=1 if you want audit (it's not said that such options are
> addictive, so that the latest audit=1 cancels a previous audit=0).

s/addictive/additive/
Comment 13 Len Lawrence 2024-02-18 15:22:36 CET 
Now after overriding the default at boot time auditd is running.

# auditctl -e 1
enabled 1
failure 1
pid 911
rate_limit 0
backlog_limit 64
lost 20
backlog 4
backlog_wait_time 60000
backlog_wait_time_actual 0

Can we leave this at this point or is there anything else we can do?
We have demonstrated that the 6.6 kernel supports audit.
Comment 14 Len Lawrence 2024-02-18 18:01:04 CET 
Checked the 6.5.13 desktop kernel.
Modiefied boot command.
Started auditd service OK.
$ sudo auditctl -v
auditctl version 3.1.2
# auditctl -e 1
enabled 1
failure 1
pid 165715
rate_limit 0
backlog_limit 64
lost 722
backlog 4
backlog_wait_time 60000
backlog_wait_time_actual 0
Comment 15 katnatek 2024-02-18 18:25:11 CET 
(In reply to Len Lawrence from comment #13)
> Now after overriding the default at boot time auditd is running.
> 
> # auditctl -e 1
> enabled 1
> failure 1
> pid 911
> rate_limit 0
> backlog_limit 64
> lost 20
> backlog 4
> backlog_wait_time 60000
> backlog_wait_time_actual 0
> 
> Can we leave this at this point or is there anything else we can do?
> We have demonstrated that the 6.6 kernel supports audit.

I agree, Giuseppe or someone else can open a report about new version of audit

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update

Comment 16 Mageia Robot 2024-02-19 18:36:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2024-0058.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED