Guest

Preview Tool

Cisco Bug: CSCvt18867 - auditd startup up failure on UEM

Last Modified

Jul 06, 2020

Products (1)

  • Cisco Ultra Services Framework

Known Affected Releases

USP_6.9.0

Description (partial)

Symptom:
Auditd failed to start up sometimes when the Ultra Element Manager (UEM) is restarted. It is using ubuntu OS. On the messages logs, it is failed by "Operation not permitted" as the kernel response. Journalctl logs for auditd process show following:

Apr 07 06:37:48 blrspgw01-em-vnfc-em-2 audit: CONFIG_CHANGE audit_enabled=1 old=2 auid=4294967295 ses=4294967295 res=0
Apr 07 06:37:48 blrspgw01-em-vnfc-em-2 auditd[486]: Error sending enable request (Operation not permitted)

Conditions:
This situation happens like below situations.

1. On commercial and customer lab, it frequently occurs during instance reboot.

2. In the lab reproduction, redeployment (auto healing) was done 50 times and restart/rebooting was done 50 times.
Redeployment did not show this error but, it could reproduced sometimes on instance rebooting. Based on this, it can be assumed that the issue is related to initial auditd startup and rules loading just after reboot.

However, the auditd process can be started manually even after initially failing to start. Quite simply, there's some sort of race condition happening during restart with regards to loading of audit rules using auditctl.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.