-2

I am getting the following error while trying to start auditd sevice:

auditctl[2144]:Error - audit support not in kernel
auditctl[2144]:Cannot open netlink audit socket
auditctl[2144]:Started Security Auditing Service.
systemd[1]:auditd.service: main process exited, code=exited, status=1/FAILURE
systemd[1]:Unit auditd.service entered failed state.

What is the kernel config file/module for auditctl tool? I am not allowed to upgrade kernel.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
fox18
  • 5
  • 1
  • 6

1 Answers1

1

This means that CONFIG_AUDIT is not set on your Kernel, and that is a task you will not achieve without changing your kernel or at least editing some boot parameters.

You will need to:

  • Download a Kernel that has audit enabled from your distribution provider or compile your Kernel with CONFIG_AUDIT enable if your distribution does not provide such kernel
  • If your Kernel is compiled with CONFIG_AUDIT enable(see below) add the kernel parameter audit=1 - See GRUB Quiet Splash. This is the file you need to edit.
    • Note that this was just an example. If your are using other bootloader that isn't GRUB, you will need to research on it's docs how to add Kernel Options to your default Kernel entry or to all of them. As an example, systemd-boot have the options= parameter to do this task and enable it to an entry.

How can you check if your current kernel have this feature enabled:

On Red Hat and Debian based distributions, tipically inside /boot there is a config file called config, with the uname -r(kernel release) append. Example:

[root@host ~]# grep CONFIG_AUDIT /boot/config-`uname -r`
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y

On distributions compiled with the CONFIG_IKCONFIG option, you can get a compressed version of the current config file inside your /proc virtual directory structure by loading the configs kernel module. Example:

[root@host ~]# modprobe configs ; gunzip -dc /proc/config.gz | grep AUDIT
# CONFIG_AUDIT is not set
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
  • Thank you for the solution, but I am working with yocto platform where it will not support grub bootloader. Please suggest any other solution to change the kernel config. – fox18 Mar 21 '19 at 05:13
  • There is no "other solution". If your kernel does not compile `CONFIG_AUDIT` there is nothing you can do instead of CHANGING YOUR KERNEL, by compiling a new one or by installing another kernel package from your distro. You don't need to be "working with grub" to change your Kernel prameters. You just need to take your time to google or read the docs and find a way to add that parameter to your bootloader. –  Mar 21 '19 at 11:33
  • As an example, i've added how to do that with `systemd-boot` (i use this bootloader at my home). You could be using rEFInd, eLILO, etc, and most of them support kernel options. –  Mar 21 '19 at 11:39
  • I have tried with linux kernel 3.13 it worked in ubuntu machine and but when tried with linux kernel 3.14 custom linux build with yocto build system it shows the same error even after enabling CONFIG_AUDIT using menuconfig tool. – fox18 Mar 22 '19 at 06:33
  • Maybe Yocto is compiling `CONFIG_CMDLINE_FORCE` so, all your boot options set in-kernel will prevail, or compiling `CONFIG_CMDLINE_OVERRIDE` so, all your boot options set in-kernel will override your boot loader options. If those are set, you will need at least to set `CONFIG_CMDLINE_BOOL=y` and `CONFIG_CMDLINE="audit=0"`. Since Yocto is used for building embedded projects, there are pretty good chances that those are set. Take your time to look at the Kernel documentation of those options. –  Mar 22 '19 at 10:54