I am getting the following error while trying to start auditd sevice:
auditctl[2144]:Error - audit support not in kernel
auditctl[2144]:Cannot open netlink audit socket
auditctl[2144]:Started Security Auditing Service.
systemd[1]:auditd.service: main process exited, code=exited, status=1/FAILURE
systemd[1]:Unit auditd.service entered failed state.
What is the kernel config file/module for auditctl tool? I am not allowed to upgrade kernel.
Rui F Ribeiro
54.8k26 gold badges144 silver badges221 bronze badges
asked Mar 20, 2019 at 10:22
This means that CONFIG_AUDIT is not set on your Kernel, and that is a task you will not achieve without changing your kernel or at least editing some boot parameters.
You will need to:
- Download a Kernel that has audit enabled from your distribution provider or compile your Kernel with
CONFIG_AUDITenable if your distribution does not provide such kernel - If your Kernel is compiled with
CONFIG_AUDITenable(see below) add the kernel parameteraudit=1— See GRUB Quiet Splash. This is the file you need to edit.- Note that this was just an example. If your are using other bootloader that isn’t GRUB, you will need to research on it’s docs how to add Kernel Options to your default Kernel entry or to all of them. As an example,
systemd-boothave theoptions=parameter to do this task and enable it to an entry.
- Note that this was just an example. If your are using other bootloader that isn’t GRUB, you will need to research on it’s docs how to add Kernel Options to your default Kernel entry or to all of them. As an example,
How can you check if your current kernel have this feature enabled:
On Red Hat and Debian based distributions, tipically inside /boot there is a config file called config, with the uname -r(kernel release) append. Example:
[root@host ~]# grep CONFIG_AUDIT /boot/config-`uname -r`
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
On distributions compiled with the CONFIG_IKCONFIG option, you can get a compressed version of the current config file inside your /proc virtual directory structure by loading the configs kernel module. Example:
[root@host ~]# modprobe configs ; gunzip -dc /proc/config.gz | grep AUDIT
# CONFIG_AUDIT is not set
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
answered Mar 20, 2019 at 10:37
5
I want to use audit framework on my latest arch linux, but running sudo auditctl -w /home/ in console gives me
Error - audit support not in kernel
Cannot open netlink audit socket
I tried to enable of course audit via kernel boot params setting audit flag: GRUB_CMDLINE_LINUX_DEFAULT="quiet audit=1" but nothing changes after reboot, still the same error.
Anybody knows how to fix it?
asked Feb 24, 2015 at 14:35
7
Recompile a kernel using ABS to get audit support.
You will need to add CONFIG_AUDIT=y in the config file before makepkg -s.
P.S. Compilation might take very long.
answered Apr 22, 2015 at 2:40
2
#1 2015-02-24 15:18:14
- sandric
- Member
- From: Ukraine, Dnipropetrovsk
- Registered: 2011-03-22
- Posts: 15
how to enable audit framework (having 3.18.2 kernel)?
Hi, I very want to use auditctl to logging out my filesystem events like inotify does, but with pid of modifier, but I can not somehow. I followed audit framework arch wiki article, installed it and enabled, also adding audit boot param to kernel, here’s my /etc/default/grub line with it:
GRUB_CMDLINE_LINUX_DEFAULT="quiet audit=1", and here’s my
output:
BOOT_IMAGE=/boot/vmlinuz-linux root=UUID=59c7ed3d-5c1a-464e-8da0-6bcf76bc19d2 rw quiet audit=1But with this done, when I run
, or even
I getting
Error - audit support not in kernel
Cannot open netlink audit socketDoes anybody knows how to fix this?
thx.
#3 2015-02-24 19:45:07
- sandric
- Member
- From: Ukraine, Dnipropetrovsk
- Registered: 2011-03-22
- Posts: 15
Re: how to enable audit framework (having 3.18.2 kernel)?
Sorry, I do not really familiar with kernel compilation, can I pass this CONFIG_AUDIT=y via boot params in grub config, or I should really recompile kernel? Via ABS? (this is a newbie section, right? ;-))
#4 2015-02-24 19:53:07
- tomk
- Forum Fellow
- From: Ireland
- Registered: 2004-07-21
- Posts: 9,839
Re: how to enable audit framework (having 3.18.2 kernel)?
#5 2015-02-25 18:46:38
- sandric
- Member
- From: Ukraine, Dnipropetrovsk
- Registered: 2011-03-22
- Posts: 15
Re: how to enable audit framework (having 3.18.2 kernel)?
Ok, I recompiled kernel, just as you suggested, and it works now. But soooo slow(..
Hi guys,
I’m posting here with the hope I can get some help on an issue that is happening in (possible) all our CentOS7 instances.
One of the procedures/policies in the company is to have the system update according to the latest packages release by CentOS.
After the last update made (clamav, java and kernel where updated) we noticed that, after rebooting some of the instances, we where no longer able to sudo into a different user, getting the following message:
Code: Select all
[jays@jays-tst ~]$ sudo su - jayb
[sudo] password for jays:
Last login: Mon Jul 30 12:02:27 EDT 2018 on pts/0
su: cannot open session: Cannot make/remove an entry for the specified sessionI can run sudo but I can’t sudo to any user.
By checking the journalctl:
Code: Select all
[jays@jays-tst ~]$ sudo journalctl -xe
Jul 31 06:35:26 jays-tst sudo[7620]: jays : TTY=pts/0 ; PWD=/home/jays ; USER=root ; COMMAND=/bin/su - jayb
Jul 31 06:35:26 jays-tst su[7624]: (to jayb) jays on pts/0
Jul 31 06:35:26 jays-tst su[7624]: pamttyaudit(su-l:session): error reading current audit status: Protocol not supported
Jul 31 06:35:26 jays-tst su[7624]: pam_unix(su-l:session): session opened for user jayb by jays(uid=0)
Jul 31 06:35:30 jays-tst sudo[7700]: jays : TTY=pts/0 ; PWD=/home/jays ; USER=root ; COMMAND=/bin/journalctl -xeWhile trying to figure it out what was happening, we notice that some services started to fail on startup:
Code: Select all
[jays@jays-tst ~]$ systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
? auditd.service loaded failed failed Security Auditing Service
? NetworkManager-wait-online.service loaded failed failed Network Manager Wait Online
? rc-local.service loaded failed failed /etc/rc.d/rc.local CompatibilitySome of our findings:
Code: Select all
[jays@jays-tst ~]$ sudo systemctl status auditd.service
? auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2018-07-30 11:42:23 EDT; 17min ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 729 ExecStart=/sbin/auditd (code=exited, status=1/FAILURE)
Jul 30 11:42:23 jays-tst systemd[1]: Starting Security Auditing Service…
Jul 30 11:42:23 jays-tst auditd[778]: Error - audit support not in kernel
Jul 30 11:42:23 jays-tst auditd[778]: Cannot open netlink audit socket
Jul 30 11:42:23 jays-tst auditd[778]: The audit daemon is exiting.
Jul 30 11:42:23 jays-tst systemd[1]: auditd.service: control process exited, code=exited status=1
Jul 30 11:42:23 jays-tst systemd[1]: Failed to start Security Auditing Service.
Jul 30 11:42:23 jays-tst systemd[1]: Unit auditd.service entered failed state.
Jul 30 11:42:23 jays-tst systemd[1]: auditd.service failed.Code: Select all
[jays@jays-tst ~]$ sudo less /var/log/messages
Jul 30 11:19:22 jays-tst auditd[720]: Error - audit support not in kernel
Jul 30 11:19:22 jays-tst auditd[720]: Cannot open netlink audit socket
Jul 30 11:19:22 jays-tst auditd[720]: The audit daemon is exiting.
Jul 30 11:19:22 jays-tst auditd: Cannot daemonize (Success)
Jul 30 11:19:22 jays-tst auditd: The audit daemon is exiting.
Jul 30 11:19:22 jays-tst systemd: auditd.service: control process exited, code=exited status=1
Jul 30 11:19:22 jays-tst systemd: Failed to start Security Auditing Service.
Jul 30 11:19:22 jays-tst systemd: Unit auditd.service entered failed state.
Jul 30 11:19:22 jays-tst systemd: auditd.service failedCode: Select all
[jays@jays-tst ~]$ sudo su - jayb
Last login: Mon Jul 30 12:04:43 EDT 2018 on pts/0
su: cannot open session: Cannot make/remove an entry for the specified session
[jays@jays-tst ~]$ sudo less /var/log/secure
Jul 30 12:02:27 jays-tst sudo: jays : TTY=pts/0 ; PWD=/home/jays ; USER=root ; COMMAND=/bin/su - jayb
Jul 30 12:02:27 jays-tst su: pamttyaudit(su-l:session): error reading current audit status: Protocol not supported
Jul 30 12:02:27 jays-tst su: pam_unix(su-l:session): session opened for user jayb by jays(uid=0)We tried to rollback the updated packages, but, still, the issue persists.
Affected packages:
Code: Select all
[jays@jays-tst ~]$ sudo yum history info 88
Loaded plugins: fastestmirror
Transaction ID : 88
Begin time : Thu Jul 26 04:32:19 2018
Begin rpmdb : 596:d58235e358eedc190ea427e2b5a91ee27b52b023
End time : 04:35:34 2018 (195 seconds)
End rpmdb : 596:999ca89b0584dc699e31a6a2339b3fb930dc6de7
User : <jays>
Return-Code : Success
Command Line : update
Transaction performed with:
Installed rpm-4.11.3-32.el7.x8664 @base Installed yum-3.4.3-158.el7.centos.noarch @base Installed yum-metadata-parser-1.1.4-10.el7.x8664 @anaconda
Installed yum-plugin-fastestmirror-1.1.31-45.el7.noarch @base
Packages Altered:
Updated clamav-0.100.0-2.el7.x8664 > @epel Update 0.100.1-1.el7.x8664 > @epel
Updated clamav-data-0.100.0-2.el7.noarch > @epel
Update 0.100.1-1.el7.noarch > @epel
Updated clamav-filesystem-0.100.0-2.el7.noarch > @epel
Update 0.100.1-1.el7.noarch > @epel
Updated clamav-lib-0.100.0-2.el7.x8664 > @epel Update 0.100.1-1.el7.x8664 > @epel
Updated clamav-update-0.100.0-2.el7.x8664 > @epel Update 0.100.1-1.el7.x8664 > @epel
Updated clamd-0.100.0-2.el7.x8664 > @epel Update 0.100.1-1.el7.x8664 > @epel
Updated java-1.8.0-openjdk-1:1.8.0.171-8.b10.el75.x8664 > @updates
Update 1:1.8.0.181-3.b13.el75.x8664 > @updates
Updated java-1.8.0-openjdk-accessibility-1:1.8.0.171-8.b10.el75.x8664 @updates
Update 1:1.8.0.181-3.b13.el75.x8664 @updates
Updated java-1.8.0-openjdk-accessibility-debug-1:1.8.0.171-8.b10.el75.x8664 @updates
Update 1:1.8.0.181-3.b13.el75.x8664 @updates
Updated java-1.8.0-openjdk-debug-1:1.8.0.171-8.b10.el75.x8664 > @updates
Update 1:1.8.0.181-3.b13.el75.x8664 > @updates
Updated java-1.8.0-openjdk-demo-1:1.8.0.171-8.b10.el75.x8664 > @updates
Update 1:1.8.0.181-3.b13.el75.x8664 > @updates
Updated java-1.8.0-openjdk-demo-debug-1:1.8.0.171-8.b10.el75.x8664 @updates
Update 1:1.8.0.181-3.b13.el75.x8664 @updates
Updated java-1.8.0-openjdk-devel-1:1.8.0.171-8.b10.el75.x8664 > @updates
Update 1:1.8.0.181-3.b13.el75.x8664 > @updates
Updated java-1.8.0-openjdk-devel-debug-1:1.8.0.171-8.b10.el75.x8664 @updates
Update 1:1.8.0.181-3.b13.el75.x8664 @updates
Updated java-1.8.0-openjdk-headless-1:1.8.0.171-8.b10.el75.x8664 @updates
Update 1:1.8.0.181-3.b13.el75.x8664 @updates
Updated java-1.8.0-openjdk-headless-debug-1:1.8.0.171-8.b10.el75.x8664 @updates
Update 1:1.8.0.181-3.b13.el75.x8664 @updates
Updated java-1.8.0-openjdk-javadoc-1:1.8.0.171-8.b10.el75.noarch > @updates Update 1:1.8.0.181-3.b13.el75.noarch > @updates
Updated java-1.8.0-openjdk-javadoc-debug-1:1.8.0.171-8.b10.el75.noarch @updates Update 1:1.8.0.181-3.b13.el75.noarch @updates
Updated java-1.8.0-openjdk-javadoc-zip-1:1.8.0.171-8.b10.el75.noarch @updates Update 1:1.8.0.181-3.b13.el75.noarch @updates
Updated java-1.8.0-openjdk-javadoc-zip-debug-1:1.8.0.171-8.b10.el75.noarch @updates Update 1:1.8.0.181-3.b13.el75.noarch @updates
Updated java-1.8.0-openjdk-src-1:1.8.0.171-8.b10.el75.x8664 > @updates
Update 1:1.8.0.181-3.b13.el75.x8664 > @updates
Updated java-1.8.0-openjdk-src-debug-1:1.8.0.171-8.b10.el75.x8664 @updates
Update 1:1.8.0.181-3.b13.el75.x8664 @updates
Erase kernel-3.10.0-693.21.1.el7.x8664 > @updates Install kernel-3.10.0-862.9.1.el7.x8664 > @updates
Updated kernel-abi-whitelists-3.10.0-862.6.3.el7.noarch > @updates
Update 3.10.0-862.9.1.el7.noarch > @updates
Erase kernel-debug-3.10.0-693.21.1.el7.x8664 > @updates Install kernel-debug-3.10.0-862.9.1.el7.x8664 > @updates
Updated kernel-debug-devel-3.10.0-862.6.3.el7.x8664 > @updates Update 3.10.0-862.9.1.el7.x8664 > @updates
Erase kernel-devel-3.10.0-693.21.1.el7.x8664 > @updates Install kernel-devel-3.10.0-862.9.1.el7.x8664 > @updates
Updated kernel-headers-3.10.0-862.6.3.el7.x8664 > @updates Update 3.10.0-862.9.1.el7.x8664 > @updates
Updated kernel-tools-3.10.0-862.6.3.el7.x8664 > @updates Update 3.10.0-862.9.1.el7.x8664 > @updates
Updated kernel-tools-libs-3.10.0-862.6.3.el7.x8664 > @updates Update 3.10.0-862.9.1.el7.x8664 > @updates
Updated kernel-tools-libs-devel-3.10.0-862.6.3.el7.x8664 > @updates Update 3.10.0-862.9.1.el7.x8664 > @updates
Updated python-perf-3.10.0-862.6.3.el7.x8664 > @updates Update 3.10.0-862.9.1.el7.x8664 > @updates
history info </jays>We already try to run a filesystem check, but, as per my understanding, all seems ok:
Code: Select all
root@ttyS0:~# e2fsck /dev/sdb
e2fsck 1.42.13 (17-May-2015)
/dev/sdb: clean, 278372/3162112 files, 6167471/12632064 blocks
root@ttyS0:~#
root@ttyS0:~# e2fsck -f /dev/sdb
e2fsck 1.42.13 (17-May-2015)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/sdb: 278372/3162112 files (0.2% non-contiguous), 6167471/12632064 blocks
root@ttyS0:~#
After rebooting, we still have the very same issue. We can’t switch users as well, no auditing is being record.
By checking /etc/pam.d/su:
Code: Select all
[jays@jays-tst ~]$ cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.soIf I comment «session include system-auth» I will be able to switch users, but the issue remains.
Any help would be deeply appreciated!
Regards,
Jay