#1111161 auditd: Arm64 arch cannot load rules related to file watch

Package:
auditd
Source:
auditd
Description:
User space tools for security auditing
Submitter:
Milton Yates
Date:
2025-09-03 09:01:02 UTC
Severity:
normal
Tags:
#1111161#5
Date:
2025-08-15 08:06:09 UTC
From:
To:
Dear Maintainer,

There is a bug in the v4.0.2 of auditd, which has been solved in v4.0.4 onwards.
This renders certain standard rules unusable on aarch64.


   * What led up to the situation?

Loading standard auditd rules which work on Deb12/arm64 and deb13/x86-64
Any rule with a `-F path=` or `-F dir=` on aarch64 will trigger this bug,
causing other rules to fail to load.

This is due to a bug in the v4.0.2 auditd on aarch64, since fixed upstream.

Sample rules from the auditd repo will trigger this. See:
https://github.com/linux-audit/audit-userspace/blob/1006f10592a44380591a069bc957b0f1874ce9d4/rules/30-pci-dss-v31.rules#L38

This has been solved upstream in https://github.com/linux-audit/audit-userspace/pull/426, and included in the v4.0.4 Release of auditd.

See a full upstream bug report for this issue:
https://github.com/linux-audit/audit-userspace/issues/496


   * What exactly did you do (or not do) that was effective (or
     ineffective)?

I installled the v4.0.5 version of auditd from debian-testing (forky).

   * What was the outcome of this action?

This solved the problem, and stopped the error messages, and the rules now load correctly.


   * What outcome did you expect instead?

I expected the rules-loader in -stable to load rules correctly, without needing to install packages from -testing.

#1111161#18
Date:
2025-09-03 08:59:31 UTC
From:
To:
Dear Maintainer,

Thanks for your last check-in.

I think your last message was indicating that this was fixed (is that what "notfound" means?),
but I've just downgraded my machine and re-tested 4.0.2-2+b2 on trixie/arm64, and it still has the same issue.

Also, the Debian info page https://packages.debian.org/trixie/auditd seems to still only show a
source-download link to [audit_4.0.2-2.debian.tar.xz] - and even trying a direct-edit url
of http://deb.debian.org/debian/pool/main/a/audit/audit_4.0.2-2+b2.debian.tar.xz says 404 NotFound,
so I can't seem to see the updated source either, to see if +b2 has the extra patch from upstream.


Sample failing rule:
-a always,exit -F arch=b64 -F path=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=10.2.3-access-audit-trail

Result (during augenrules --load):
Syscall name unknown: readlink
Error adding syscalls for perm filtering
There was an error in line 14 of /etc/audit/audit.rules