auditd fails to add rules when used in precise with -lts-quantal kernel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
audit (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks | ||
Precise |
Won't Fix
|
Undecided
|
Tyler Hicks | ||
linux (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned |
Bug Description
auditctl fails to add rules when run with the -lts-quantal kernel
Eample:
# auditctl -l
No rules
# auditctl -a entry,always -F arch=b64 -S execve -k exec
Error sending add rule data request (Invalid argument)
#
Looks like the syscall table needs updating, it works with the 3.2.0 kernel.
Tagging this as a security vulnerability because it fails fairly quietly and may lead to high security systems not having required auditing (like PCI compliant systems), I only noticed by looking in /var/log/boot.log.
Description: Ubuntu 12.04.2 LTS
Release: 12.04
ii auditd 1.7.18-1ubuntu1 User space tools for security auditing
ii linux-image-
information type: | Private Security → Public |
tags: | added: kernel-da-key |
Changed in linux (Ubuntu): | |
importance: | Undecided → High |
Changed in audit (Ubuntu): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Precise): | |
status: | New → Invalid |
Changed in audit (Ubuntu Precise): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in audit (Ubuntu): | |
status: | In Progress → Fix Released |
As far as I can see, the update of Precise to 12.04.3 which installs the lts-raring kernel by default breaks auditd. I can no-longer specify any audit rules that reference syscalls.
That makes the inclusion of the audit packages in Precise pretty pointless...