@@ -106,14 +106,16 @@ jobs:
106106 sudo auditctl -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,fchownat,fchmodat -k permission_syscalls || echo "Failed to add permission syscalls rule"
107107
108108 # Monitor udev-related processes that might affect device permissions
109- sudo auditctl -a always,exit -F comm= udevd -k device_changes || echo "Failed to add udevd monitoring rule"
110- sudo auditctl -a always,exit -F comm=systemd- udevd -k device_changes || echo "Failed to add systemd- udevd monitoring rule"
109+ sudo auditctl -a always,exit -F exe=/lib/systemd/systemd- udevd -k device_changes || echo "Failed to add systemd- udevd monitoring rule"
110+ sudo auditctl -a always,exit -F exe=/sbin/ udevd -k device_changes || echo "Failed to add udevd monitoring rule"
111111
112112 # Monitor systemd processes that might affect devices
113- sudo auditctl -a always,exit -F comm=systemd -k device_changes || echo "Failed to add systemd monitoring rule"
113+ sudo auditctl -a always,exit -F exe=/lib/systemd/systemd -k device_changes || echo "Failed to add systemd monitoring rule"
114+ sudo auditctl -a always,exit -F exe=/usr/lib/systemd/systemd -k device_changes || echo "Failed to add systemd monitoring rule (alt path)"
114115
115116 # Monitor modprobe calls (kernel module loading)
116- sudo auditctl -a always,exit -F comm=modprobe -k device_changes || echo "Failed to add modprobe monitoring rule"
117+ sudo auditctl -a always,exit -F exe=/sbin/modprobe -k device_changes || echo "Failed to add modprobe monitoring rule"
118+ sudo auditctl -a always,exit -F exe=/usr/sbin/modprobe -k device_changes || echo "Failed to add modprobe monitoring rule (alt path)"
117119
118120 # Monitor file operations that might create /dev/kvm
119121 sudo auditctl -a always,exit -F arch=b64 -S mknod,mknodat -F path=/dev/kvm -k device_changes || echo "Failed to add device creation syscall rule"
@@ -127,12 +129,42 @@ jobs:
127129 sudo auditctl -s || echo "Failed to get audit status"
128130
129131 # Check audit configuration file
130- echo "Audit configuration:"
131- if [ -f /etc/audit/auditd.conf ]; then
132- echo "auditd.conf exists, showing key settings:"
133- grep -E "^(log_file|log_format|flush|freq|max_log_file)" /etc/audit/auditd.conf || echo "Could not read audit config"
132+ echo "Audit configuration search and diagnostics:"
133+
134+ # Check multiple possible locations for auditd.conf
135+ AUDIT_CONF_LOCATIONS="/etc/audit/auditd.conf /etc/auditd.conf /usr/local/etc/audit/auditd.conf"
136+ FOUND_CONFIG=""
137+
138+ for conf_path in $AUDIT_CONF_LOCATIONS; do
139+ echo "Checking $conf_path..."
140+ if [ -f "$conf_path" ]; then
141+ echo "✓ Found auditd config at: $conf_path"
142+ FOUND_CONFIG="$conf_path"
143+ break
144+ else
145+ echo "✗ Not found: $conf_path"
146+ fi
147+ done
148+
149+ if [ -n "$FOUND_CONFIG" ]; then
150+ echo "Reading audit configuration from: $FOUND_CONFIG"
151+ if sudo cat "$FOUND_CONFIG" >/dev/null 2>&1; then
152+ echo "Key audit settings:"
153+ sudo grep -E "^(log_file|log_format|flush|freq|max_log_file)" "$FOUND_CONFIG" || echo "Could not find standard config keys"
154+ else
155+ echo "Permission denied reading $FOUND_CONFIG - trying with elevated privileges"
156+ sudo ls -la "$FOUND_CONFIG" || echo "Cannot access config file"
157+ fi
134158 else
135- echo "auditd.conf not found"
159+ echo "No auditd.conf found in standard locations"
160+ echo "Checking /etc/audit/ directory permissions:"
161+ sudo ls -la /etc/audit/ || echo "Cannot access /etc/audit/ directory"
162+
163+ echo "Checking if auditd package is properly installed:"
164+ dpkg -l | grep audit || echo "No audit packages found"
165+
166+ echo "Looking for any audit-related config files:"
167+ sudo find /etc -name "*audit*" -type f 2>/dev/null | head -10 || echo "No audit config files found"
136168 fi
137169
138170 # Ensure audit logs are writable
0 commit comments