Description of problem: Need updated lookup tables for the 6.5 kernel. 3.1.2 also contain other fixes. 3.1.2 is in Cauldron. Version-Release number of selected component: audit-3.1.1-1.mga9 How reproducible: I.e I suppose https://forums.mageia.org/en/viewtopic.php?t=15175 No registered maintainer, setting to all.
Depends on: (none) => 32813
Suggested advisory: ======================== The updated packages fix compatibility with kernels 6.5+. References: https://forums.mageia.org/en/viewtopic.php?t=15175 ======================== Updated packages in core/updates_testing: ======================== audit-3.1.2-1.mga9 audispd-plugins-3.1.2-1.mga9 audispd-plugins-zos-3.1.2-1.mga9 lib(64)audit1-3.1.2-1.mga9 lib(64)audit-devel-3.1.2-1.mga9 lib(64)auparse0-3.1.2-1.mga9 lib(64)auparse-devel-3.1.2-1.mga9 python3-audit-3.1.2-1.mga9 from SRPM: audit-3.1.2-1.mga9.src.rpm
CC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDDepends on: 32813 => (none)Blocks: (none) => 32813
Mageia9, x86_64 $ sudo auditctl -v Error - audit support not in kernel Cannot open netlink audit socket Same before and after update with kernel 6.6.14-desktop-2.mga9. Afterwards: $ rpm -q audit audit-3.1.2-1.mga9 $ sudo systemctl start auditd $ sudo systemctl status auditd ○ auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled) Active: inactive (dead) Condition: start condition failed at Sat 2024-02-17 15:53:25 GMT; 22s ago └─ ConditionKernelCommandLine=!audit=0 was not met Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Feb 17 15:36:28 yildun systemd[1]: auditd.service was skipped because of an unmet condition check (ConditionKernelCommandLine=!audit=0).
CC: (none) => tarazed25
# auditctl -e 1 Error - audit support not in kernel Cannot open netlink audit socket
CC: (none) => marja11URL: https://github.com/linux-audit/audit-userspace/releases => https://github.com/linux-audit/audit-userspace/releases https://forums.mageia.org/en/viewtopic.php?t=15175
Keywords: (none) => advisory, feedback
CC: (none) => ghibomgx
Giuseppe did kernel 6.6 have audit support? (In reply to Len Lawrence from comment #3) > # auditctl -e 1 > Error - audit support not in kernel > Cannot open netlink audit socket
(In reply to katnatek from comment #4) > Giuseppe did kernel 6.6 have audit support? > (In reply to Len Lawrence from comment #3) > > # auditctl -e 1 > > Error - audit support not in kernel > > Cannot open netlink audit socket I guess yes zgrep AUD /boot/config-6.6.14-desktop-2.mga9 CONFIG_AUDIT=y
zgrep AUDIT /boot/config-6.6.14-desktop-2.mga9 CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_ARCH=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_DM_AUDIT=y CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 CONFIG_INTEGRITY_AUDIT=y
From archwiki https://wiki.archlinux.org/title/Audit_framework Audit can be enabled at boot-time by setting audit=1 I reboot and test again
something is broken cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-6.6.14-desktop-2.mga9 root=UUID=a0cc43c0-b94e-44c7-8ca9-0a69cb6f7053 ro splash quiet noiswmd resume=UUID=ac50cb2a-7731-479b-94f1-e90cc4f90106 audit=0 vga=791 audit=1 systemctl start auditd systemctl status auditd ○ auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; preset: enabled) Active: inactive (dead) Condition: start condition failed at Sat 2024-02-17 20:29:09 CST; 4s ago └─ ConditionKernelCommandLine=!audit=0 was not met Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation feb 17 20:29:09 phoenix systemd[1]: auditd.service was skipped because of an unmet condition check (ConditionKernelCommandLine=!audit>
Not broken, just too strict cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-6.6.14-desktop-2.mga9 root=UUID=a0cc43c0-b94e-44c7-8ca9-0a69cb6f7053 ro splash quiet noiswmd resume=UUID=ac50cb2a-7731-479b-94f1-e90cc4f90106 audit=1 vga=791 systemctl status auditd ○ auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; preset: enabled) Active: inactive (dead) Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation auditctl -v auditctl version 3.1.2 Just take care of change the audit=0 by audit=1 in the kernel options https://wiki.mageia.org/en/How_to_set_up_kernel_options because not works add audit=1 at the end
CC: ghibomgx => (none)
Keywords: feedback => (none)
systemctl start auditd systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; preset: enabled) Active: active (running) since Sat 2024-02-17 20:44:16 CST; 3s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 49629 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Process: 49633 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Main PID: 49630 (auditd) Tasks: 2 (limit: 11728) Memory: 1.3M CPU: 51ms CGroup: /system.slice/auditd.service └─49630 /sbin/auditd feb 17 20:44:16 phoenix systemd[1]: Starting auditd.service... feb 17 20:44:16 phoenix auditd[49630]: No plugins found, not dispatching events feb 17 20:44:16 phoenix auditd[49630]: Init complete, auditd 3.1.2 listening for events (startup state enable) feb 17 20:44:16 phoenix systemd[1]: Started auditd.service.
audit need to be explicitely enabled by audit=1. Check also in /proc/cmdline you don't have already audit=0 and if case revert to audit=1 if you want audit (it's not said that such options are addictive, so that the latest audit=1 cancels a previous audit=0). BTW, there is also audit-4.0 out which is the latest release, maybe worthwhile to upgrade (maybe before in cauldron, since audit-4.0 requires several changes to the SPEC file other than bumping the version number).
(In reply to Giuseppe Ghibò from comment #11) > audit need to be explicitely enabled by audit=1. > > Check also in /proc/cmdline you don't have already audit=0 and if case > revert to audit=1 if you want audit (it's not said that such options are > addictive, so that the latest audit=1 cancels a previous audit=0). s/addictive/additive/
Now after overriding the default at boot time auditd is running. # auditctl -e 1 enabled 1 failure 1 pid 911 rate_limit 0 backlog_limit 64 lost 20 backlog 4 backlog_wait_time 60000 backlog_wait_time_actual 0 Can we leave this at this point or is there anything else we can do? We have demonstrated that the 6.6 kernel supports audit.
Checked the 6.5.13 desktop kernel. Modiefied boot command. Started auditd service OK. $ sudo auditctl -v auditctl version 3.1.2 # auditctl -e 1 enabled 1 failure 1 pid 165715 rate_limit 0 backlog_limit 64 lost 722 backlog 4 backlog_wait_time 60000 backlog_wait_time_actual 0
(In reply to Len Lawrence from comment #13) > Now after overriding the default at boot time auditd is running. > > # auditctl -e 1 > enabled 1 > failure 1 > pid 911 > rate_limit 0 > backlog_limit 64 > lost 20 > backlog 4 > backlog_wait_time 60000 > backlog_wait_time_actual 0 > > Can we leave this at this point or is there anything else we can do? > We have demonstrated that the 6.6 kernel supports audit. I agree, Giuseppe or someone else can open a report about new version of audit
CC: (none) => sysadmin-bugsWhiteboard: (none) => MGA9-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2024-0058.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED