auditd not doing anything

[barish]

I am not shure if this is board specific so I post it here and hope that you might be willing to try this on your board:

 

- I installed audit:

apt install auditd

 

- I set up a rule for a file audit should watch:

auditctl -w /boot/armbianEnv.txt -p wa

 

- I change or touch the file being watched:

touch /boot/armbianEnv.txt

 

- I have a look at the log of audit:

cat /var/log/audit/audit.log

 

And then ––– I see nothing... Any hints what's going wrong? My guess is that the kernel might be lacking the audit module?!

Edited June 28, 2022 by barish

[Werner]

I assume the auditd would notice lacking kernel module rather than doing nothing. Did you check dmesg, syslog or kern.log?

[barish]

Found this in /var/log/kern.log :

Jun 28 09:14:51 localhost kernel: [    0.026499] audit: initializing netlink subsys (disabled)
Jun 28 09:14:51 localhost kernel: [    0.026793] audit: type=2000 audit(0.024:1): state=initialized audit_enabled=0 res=1

 

And I tried auditd on another board of mine (Olinuxino micro) also running Buster, where it is working fine. So either it is a board topic or it's a stupid user topic... 😕

[Werner]

audit seems enabled in mvebu64 current: https://github.com/armbian/build/blob/master/config/kernel/linux-mvebu64-current.config

So hard to tell...

 

Edit: is SELINUX enabled? Seems like this or similar is necessary to make use of audit:#

Quote

Enable auditing infrastructure that can be used with another kernel subsystem, such as SELinux (which requires this for logging of avc messages output). System call auditing is included on architectures which support it.

 

[barish]

Thanks @Werner, as I understand it, audit is a component of SELinux, but can be activated standalone, too. I don't know how to troubleshoot this, all output (systemctl status auditd) is identical to a working auditd on other board, just the log file stays empty.

 

For the record, I am running Armbian 21.02.3 Espressobin Debian buster current, kernel is 5.10.21-mvebu64 .