e4rat-lite won't generate a startup.log file

ArchEdu · 2016-10-05 07:06:27

I'm following the wiki instructions to install e4rat-lite on my computer. I'm using systemd-boot as my boot manager and I'm adding this kernel parameter

init=/usr/bin/e4rat-lite-collect

to run e4rat-lite-collect. On boot I get the following error messages

Cannot open audit socket
Cannot disable audit socket
Cannot disable current pid

and then something about 0 files being collected. After the default 120 seconds have passed once everything is loaded there is no startup.log file in /var/lib/e4rat-lite.

Tjuh · 2016-10-16 14:58:07

I'm having this very same issue.

ArchEdu · 2016-10-17 04:49:49

Tjuh wrote:

I'm having this very same issue.

I later realized that my problem may be that I don't have an Audit enabled custom kernel.

Last edited by ArchEdu (2016-10-17 04:50:07)

Tjuh · 2016-10-18 10:25:14

I think ur right, however when tryin to rebuild the kernel with audit enabled, I can't seem to find the CONFIG_AUDITSYSCALL entry in the kernel config files.

2ManyDogs · 2016-10-18 14:02:14

Tjuh wrote:

I think ur right, however when tryin to rebuild the kernel with audit enabled, I can't seem to find the CONFIG_AUDITSYSCALL entry in the kernel config files.

CONFIG_AUDITSYSCALL won't show up in your config until you also set CONFIG_AUDIT.

If you are using make menuconfig (or make nconfig,) search for "audit" and set "Auditing support" -- you will then see (and can set) the "Enable system-call auditing support" option. This should set both CONFIG options in your kernel config file.

Last edited by 2ManyDogs (2016-10-18 14:15:58)

Tjuh · 2016-10-26 18:58:11

For some reason I still can't get this to work. Followed this guide and the e4rat wiki, compiled linux-ck kernel with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=y, compiled audit with staticlibs enabled and compiled e4rat-lite-git from the AUR. No startup.log is created and running e4rat-lite-collect from a terminal results in the following message:

sh: lsof: command not found
Cannot open audit socket
Press 'Ctrl-C' to stop collecting files
Cannot disable audit socket
Cannot disable current pid
	0 file(s) collected

After installation of lsof, same message:

Cannot open audit socket
Press 'Ctrl-C' to stop collecting files
Cannot disable audit socket
Cannot disable current pid
	0 file(s) collected

Any thoughts on this would be greatly appreciated.

EDIT: After some further testing I tried enabling and disabling auditd service, however journallog mentions audit is not supported in the kernel, which I find odd since I did explicitely add those two lines in the linux-ck config file.

Oct 26 21:12:53 Arch64 auditd[573]: Error - audit support not in kernel
Oct 26 21:12:53 Arch64 auditd[573]: Cannot open netlink audit socket
Oct 26 21:12:53 Arch64 auditctl[775]: Error - audit support not in kernel
Oct 26 21:12:53 Arch64 systemd[1]: Failed to start Security Auditing Service.
-- Subject: Unit auditd.service has failed

Last edited by Tjuh (2016-10-26 19:39:19)

Arch Linux

#1 2016-10-05 07:06:27

e4rat-lite won't generate a startup.log file

#2 2016-10-16 14:58:07

Re: e4rat-lite won't generate a startup.log file

#3 2016-10-17 04:49:49

Re: e4rat-lite won't generate a startup.log file

#4 2016-10-18 10:25:14

Re: e4rat-lite won't generate a startup.log file

#5 2016-10-18 14:02:14

Re: e4rat-lite won't generate a startup.log file

#6 2016-10-26 18:58:11

Re: e4rat-lite won't generate a startup.log file

Board footer