Cisco Bug: CSCvt18867 - auditd startup up failure on UEM
Jul 06, 2020
- Cisco Ultra Services Framework
Known Affected Releases
Symptom: Auditd failed to start up sometimes when the Ultra Element Manager (UEM) is restarted. It is using ubuntu OS. On the messages logs, it is failed by "Operation not permitted" as the kernel response. Journalctl logs for auditd process show following: Apr 07 06:37:48 blrspgw01-em-vnfc-em-2 audit: CONFIG_CHANGE audit_enabled=1 old=2 auid=4294967295 ses=4294967295 res=0 Apr 07 06:37:48 blrspgw01-em-vnfc-em-2 auditd: Error sending enable request (Operation not permitted) Conditions: This situation happens like below situations. 1. On commercial and customer lab, it frequently occurs during instance reboot. 2. In the lab reproduction, redeployment (auto healing) was done 50 times and restart/rebooting was done 50 times. Redeployment did not show this error but, it could reproduced sometimes on instance rebooting. Based on this, it can be assumed that the issue is related to initial auditd startup and rules loading just after reboot. However, the auditd process can be started manually even after initially failing to start. Quite simply, there's some sort of race condition happening during restart with regards to loading of audit rules using auditctl.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases