You are not logged in.
I'm following the wiki instructions to install e4rat-lite on my computer. I'm using systemd-boot as my boot manager and I'm adding this kernel parameter
init=/usr/bin/e4rat-lite-collect
to run e4rat-lite-collect. On boot I get the following error messages
Cannot open audit socket
Cannot disable audit socket
Cannot disable current pid
and then something about 0 files being collected. After the default 120 seconds have passed once everything is loaded there is no startup.log file in /var/lib/e4rat-lite.
Offline
I'm having this very same issue.
Offline
I'm having this very same issue.
I later realized that my problem may be that I don't have an Audit enabled custom kernel.
Last edited by ArchEdu (2016-10-17 04:50:07)
Offline
I think ur right, however when tryin to rebuild the kernel with audit enabled, I can't seem to find the CONFIG_AUDITSYSCALL entry in the kernel config files.
Offline
I think ur right, however when tryin to rebuild the kernel with audit enabled, I can't seem to find the CONFIG_AUDITSYSCALL entry in the kernel config files.
CONFIG_AUDITSYSCALL won't show up in your config until you also set CONFIG_AUDIT.
If you are using make menuconfig (or make nconfig,) search for "audit" and set "Auditing support" -- you will then see (and can set) the "Enable system-call auditing support" option. This should set both CONFIG options in your kernel config file.
Last edited by 2ManyDogs (2016-10-18 14:15:58)
Offline
For some reason I still can't get this to work. Followed this guide and the e4rat wiki, compiled linux-ck kernel with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=y, compiled audit with staticlibs enabled and compiled e4rat-lite-git from the AUR. No startup.log is created and running e4rat-lite-collect from a terminal results in the following message:
sh: lsof: command not found
Cannot open audit socket
Press 'Ctrl-C' to stop collecting files
Cannot disable audit socket
Cannot disable current pid
0 file(s) collected
After installation of lsof, same message:
Cannot open audit socket
Press 'Ctrl-C' to stop collecting files
Cannot disable audit socket
Cannot disable current pid
0 file(s) collected
Any thoughts on this would be greatly appreciated.
EDIT: After some further testing I tried enabling and disabling auditd service, however journallog mentions audit is not supported in the kernel, which I find odd since I did explicitely add those two lines in the linux-ck config file.
Oct 26 21:12:53 Arch64 auditd[573]: Error - audit support not in kernel
Oct 26 21:12:53 Arch64 auditd[573]: Cannot open netlink audit socket
Oct 26 21:12:53 Arch64 auditctl[775]: Error - audit support not in kernel
Oct 26 21:12:53 Arch64 systemd[1]: Failed to start Security Auditing Service.
-- Subject: Unit auditd.service has failed
Last edited by Tjuh (2016-10-26 19:39:19)
Offline