Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: auditctl prevents auditd from starting as a service (Read 198 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

auditctl prevents auditd from starting as a service

The short version: auditctl fails to start at boot which blocks auditd from starting.

I'd like to say the logs were super helpful, but I doubt this helps anyone else more than it helped me.

Code: [Select]
$ sudo cat /run/uncaught-logs/current
@4000000066cc9bf016f91656 s6-rc: warning: unable to start service auditctl: command exited 1

Both work fine when started from the cli ("No rules" is expected output for auditctl, not a misconfiguration).

Code: [Select]
$ sudo auditctl -R /etc/audit/audit.rules
No rules

Code: [Select]
$ sudo auditd -n -f
Config file /etc/audit/auditd.conf opened for parsing
local_events_parser called with: yes
write_logs_parser called with: yes
log_file_parser called with: /var/log/audit/audit.log
...

The services fail regardless of whether it's at boot or manually attempted later. I'm not sure about this one, maybe someone else has run into it?

Re: auditctl prevents auditd from starting as a service

Reply #1
I generated audit.rules using augenrules and ran the service which worked fine for me. The only real difference I noticed is that this command:
Code: [Select]
sudo auditctl -R /etc/audit/audit.rules
returns no output for me. My audit.rules file is blank and auditctl -l lists no rules as expected.
 

Re: auditctl prevents auditd from starting as a service

Reply #2
I should have provided more information. Sorry, but at this point I don't think it's your bug anyway - Arch Issue

My system uses augenrules to compile the files in /etc/audit/rules.d into /etc/audit/audit.rules, so I have that file populated at boot when it is triggered. I did have to modify the service file to accommodate that, which worked great until recently.

Tonight I was also playing around and ran aureport, which indicated logging stopped the morning of 8/20. Pacman logs show auditd was updated to 4.0.2 the night before, of course. There was an issue filed with auditd too, however they closed it as distro specific.

Edit: downgrading audit to 4.0.1-3 fixed it, thanks for your help, will mark solved since it's upstream