You are not logged in.
Hey, I've been having a problem for the past five days on one of my Arch boxes (a single core AMD V120) in which the auditd service refuses to start up citing netlink buffer space issues. I've checked Google and see solutions ranging from "increase the audit backlog" to "increase logging priority/enable rate limiting" and even "streamline your audit.rules file."
I've tried all of them and none work. My second Arch computer, a dual core Asus laptop which runs this very same combination of software listed here, is able to load what I am led to believe is the problem ruleset without any issues, and even paring my rules file down to six lines doesn't solve anything.
Below is what I have on the problem computer for rules:
-D
-b 32768
-f 1
-r 21000
-w /etc/sudoers -p rw -k escalation
-e 2And here is the ruleset which hasn't given me any issues:
-D
-b 16384
-f 1
-w /etc/audit -p wa -k auditcfg
-w /etc/aide.conf -p wa -k aide
-w /etc/rkhunter.conf -p wa -k rkhunter
-w /etc/selinux -p wa -k selinuxcfg
-w /etc/libaudit.conf -p wa -k auditcfg
-w /etc/audisp -p wa -k auditcfg
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
-w /etc/cron.d -p wa -k cron
-w /etc/cron.daily -p wa -k cron
-w /etc/cron.hourly -p wa -k cron
-w /etc/cron.monthly -p wa -k cron
-w /etc/cron.weekly -p wa -k cron
-w /etc/modules-load.d -p wa -k modules
-w /etc/modprobe.d -p wa -k modules
-w /etc/passwd -p wa -k usercfg
-w /etc/group -p wa -k usercfg
-w /etc/shadow -p wa -k usercfg
-w /etc/gshadow -p wa -k usercfg
-w /var/spool/anacron -p wa -k cron
-w /var/spool/cron -p wa -k cron
-w /etc/iptables -p wa -k iptables
-w /etc/ssh/sshd_config -p wa -k sshd
-w /usr/bin/ssh -p x -k sshexec
-w /usr/bin/sshd -p x -k sshexec
-e 2Lastly, here is the auditd config file:
local_events=yes
write_logs=yes
log_file=/var/log/audit/audit.log
log_group=root
log_format=RAW
flush=INCREMENTAL_ASYNC
freq=100
max_log_file=16
max_logs=4
priority_boost=5
disp_qos=lossy
dispatcher=/usr/bin/audispd
name_format=NONE
max_log_file_action=ROTATE
space_left=75
space_left_action=SYSLOG
verify_email=yes
action_mail_acct=root
admin_space_left=50
admin_space_left_action=SUSPEND
disk_full_action=SUSPEND
disk_error_action=SUSPEND
use_libwrap=yes
tcp_listen_queue=5
tcp_max_per_addr=1
tcp_client_max_idle=0
enable_krb5=no
krb5_principal=auditd
distribute_network=noHow can I get auditd working again? I've even tried enabling maximum performance in my laptop BIOS (just in case it was an issue of not being able to read fast enough) and checking my log partition space with a "df -h" -- it's nowhere near filling up any time soon.
Last edited by RickDeckard (2018-07-05 00:35:04)
Offline
After some time away from this problem I've decided to raise my backlog limit from the GRUB command line, =32768 didn't allow me to start the audit subsystem whereas =65536 does. I don't understand why such a huge jump is needed or for how long it'll help but all I know is that it's working again. I'll post back with any more problems, and the associated measures I take to fix them for anyone else who has this issue, if the situation changes.
Offline
It's back, a day later.
auditd[601]: Started dispatcher: /usr/bin/audispd pid: 603
auditd[601]: Error receiving audit netlink packet: No buffer space available
auditd[601]: Error setting audit daemon pid: No buffer space availableIs this just filling up space across reboots as soon as I allocate it? I'm so close to removing auditd and relying on other means for auditing. This is driving me insane.
Offline