FS#55171 - [linux-hardened] auditd.service refuse to start even with audit=1
Attached to Project:
Community Packages
Opened by Nicolas I. (IooNag) - Wednesday, 16 August 2017, 19:17 GMT
Last edited by Daniel Micay (thestinger) - Sunday, 08 October 2017, 16:40 GMT
Opened by Nicolas I. (IooNag) - Wednesday, 16 August 2017, 19:17 GMT
Last edited by Daniel Micay (thestinger) - Sunday, 08 October 2017, 16:40 GMT
|
Details
Description:
When using auditd.service with linux-hardened, it is not possible to start the service and "systemctl status auditd.service" reports: * auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: disabled) Active: inactive (dead) since Wed 2017-08-16 21:05:19 CEST; 1min 37s ago Condition: start condition failed at Wed 2017-08-16 21:06:56 CEST; 912ms ago └─ ConditionKernelCommandLine=!audit=0 was not met Even though I have "audit=1" on my command line, "audit=0" is inserted into it, which makes systemd refuse to load auditd. I saw this in dmesg: [ 0.000000] Kernel command line: audit=0 initrd=\initramfs-linux-hardened.img root=UUID=cb329244-9a99-49d9-a6c9-58137e3e345b rw verbose cryptdevice=/dev/disk/by-uuid/15b4afae-4528-4916-b4d7-3602c88992e8:system security=selinux selinux=1 loglevel=6 kaslr intel_iommu=on audit=1 [ 0.000000] audit: disabled (until reboot) [ 0.000000] DMAR: IOMMU enabled [ 0.000000] audit: enabled (after initialization) This behavior is caused by using 'CONFIG_CMDLINE="audit=0"' in config.x86_64. I found a workaround with a systemd unit overriding file /etc/systemd/system/auditd.service.d/override.conf containing "ConditionKernelCommandLine=" in a [Unit] section. This way, auditd starts correctly and I can use it normally. As I do not know whether this issue is known by people who are working on making Arch Linux's default kernel use CONFIG_AUDIT=y, I report it here. Additional info: * package version(s): linux-hardened 4.12.7.a-1, audit 2.7.6-2 Steps to reproduce: * pacman -S audit && systemctl start auditd.service |
This task depends upon
Closed by Daniel Micay (thestinger)
Sunday, 08 October 2017, 16:40 GMT
Reason for closing: Not a bug
Additional comments about closing: Having audit=0 on the kernel line is the intended approach for the time being and you'll just need to work around overly naive systemd support.
There doesn't appear to be interest from the Arch community in working on these areas so it's unlikely for there to be progress on SELinux, etc. in the near future.
Sunday, 08 October 2017, 16:40 GMT
Reason for closing: Not a bug
Additional comments about closing: Having audit=0 on the kernel line is the intended approach for the time being and you'll just need to work around overly naive systemd support.
There doesn't appear to be interest from the Arch community in working on these areas so it's unlikely for there to be progress on SELinux, etc. in the near future.