SUSE Support

Here When You Need Us

auditd.service or augenrules.sevice fails to load rules for users home directories

This document (000020912) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP4

Situation

Scenario 1:

Using augenrules and adding a rule to audit a users home directory /etc/audit/rules.d/audit.rules:

-w /root/.ssh/authorized_keys -p w -k access


Example error messages shown:

Jan 05 05:18:17 linux augenrules[6227]: There was an error in line 5 of /etc/audit/audit.rules
Jan 05 05:18:17 linux augenrules[6227]: No rules
Jan 05 05:18:17 linux systemd[1]: augenrules.service: Main process exited, code=exited, status=1/FAILURE
Jan 05 05:18:17 linux systemd[1]: augenrules.service: Failed with result 'exit-code'.
Jan 05 05:18:17 linux systemd[1]: Failed to start auditd rules generation.

 

Scenario 2:

Not using augenrules.service and enabling in auditd.service ExecStartPost to run auditctl to load rules.

## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
## uncomment the next line, and comment the Requires=augenrules.service above.
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

Example error messages shown:

Jan 05 05:20:22 linux auditd[6247]: Init complete, auditd 3.0.6 listening for events (startup state enable)
Jan 05 05:20:22 linux auditctl[6250]: Error sending add rule data request (No such file or directory)
Jan 05 05:20:22 linux auditctl[6250]: There was an error in line 5 of /etc/audit/audit.rules
Jan 05 05:20:22 linux auditctl[6250]: No rules

 

Resolution

To enable the service being able to at least read users home directories run the following command: 
# systemctl edit augenrules.service

and add ProtectHome=read-only within the Service section:
  
[Service]
ProtectHome=read-only

Additionally, if in Scenario 2, make sure the line 'ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules' is commented within the Service section:
  
[Service]
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

Note: Be aware that this modification lowers the security of auditd. If the service is compromised it can read all users home directories.
 

Cause

In both scenarios, the cause is that, efforts to hardening systemd add  ProtectHome=true to the service unit file, which protects user homes from being accessible for the processes of the service:

### Security Settings ###
...
ProtectHome=true
...
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020912
  • Creation Date: 05-Jan-2023
  • Modified Date:11-Jan-2023
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center