auditd fails to add rules when used in precise with -lts-quantal kernel

As far as I can see, the update of Precise to 12.04.3 which installs the lts-raring kernel by default breaks auditd. I can no-longer specify any audit rules that reference syscalls.

That makes the inclusion of the audit packages in Precise pretty pointless...

Can you see if this bug also affects the Saucy backport kernel, which will be used in 12.04.4? The .deb is available from:

http://launchpadlibrarian.net/158291468/linux-generic-lts-saucy_3.11.0.15.14_amd64.deb

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1158500

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Still present with 3.11.0.15.14.
(leaving out the apport-collect, sorry)

# dpkg -l linux-image-generic-lts-saucy
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-=================================-=================================-==================================================================================
ii linux-image-generic-lts-saucy 3.11.0.15.14 Generic Linux kernel image
# uname -a
Linux alum 3.11.0-15-generic #23~precise1-Ubuntu SMP Tue Dec 10 16:39:48 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
# auditctl -l
No rules
# auditctl -a entry,always -F arch=b64 -S execve -k exec
Error sending add rule data request (Invalid argument)

Status changed to 'Confirmed' because the bug affects multiple users.

I built Saucy's audit package for Precise and ran it under the -lts-saucy kernel. When running the auditctl command in the bug description, it emitted the following warning:

  Warning - entry rules deprecated, changing to exit rule

Starting with kernel version 3.3, the audit kernel code refuses entry,always rules. Starting with audit version 2.0, auditctl converts entry,always rules to exit,always rules.

The fix seems to be to backport upstream audit commits 300, 301, and 307 to Precise's audit package to make auditctl convert entry,always rules to exit,always.

Marking the kernel task as invalid, since this is an auditctl bug.

Just noticed, that [1] is most likely a duplicate of this.

[1] https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1317188

hello,

Any news on this? It's when you really need it that you realize auditd no longer works for some time already.

More than annoying I find this bug quite critical given it renders auditd almost useless.

I'm no developper, but is the change difficult to backport? What are we missing? time/man power?

Help greatly appreciated,

Thanks.

We really need to have auditd working !

"More than annoying I find this bug quite critical given it renders auditd almost useless." => so true, it's quite amazing for a LTS/stable branch...

Please do something :-)

We are being impacted too.
Running ubuntu 12.04 with auditd 1.7.18-1ubuntu1

any news ?

Am I missing something or the current workaround is to use exit,always rules?

Status changed to 'Confirmed' because the bug affects multiple users.

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release