← Back to team overview

kernel-packages team mailing list archive

[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified

 

This bug was fixed in the package linux - 3.13.0-51.84

---------------
linux (3.13.0-51.84) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1444141
  * Merged back Ubuntu-3.13.0-49.83 security release

linux (3.13.0-50.82) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1442285

  [ Andy Whitcroft ]

  * [Config] CONFIG_DEFAULT_MMAP_MIN_ADDR needs to match on armhf and arm64
    - LP: #1418140

  [ Chris J Arges ]

  * [Config] CONFIG_PCIEASPM_DEBUG=y
    - LP: #1398544

  [ Upstream Kernel Changes ]

  * KEYS: request_key() should reget expired keys rather than give
    EKEYEXPIRED
    - LP: #1124250
  * audit: correctly record file names with different path name types
    - LP: #1439441
  * KVM: x86: Check for nested events if there is an injectable interrupt
    - LP: #1413540
  * be2iscsi: fix memory leak in error path
    - LP: #1440156
  * block: remove old blk_iopoll_enabled variable
    - LP: #1440156
  * be2iscsi: Fix handling timed out MBX completion from FW
    - LP: #1440156
  * be2iscsi: Fix doorbell format for EQ/CQ/RQ s per SLI spec.
    - LP: #1440156
  * be2iscsi: Fix the session cleanup when reboot/shutdown happens
    - LP: #1440156
  * be2iscsi: Fix scsi_cmnd leakage in driver.
    - LP: #1440156
  * be2iscsi : Fix DMA Out of SW-IOMMU space error
    - LP: #1440156
  * be2iscsi: Fix retrieving MCCQ_WRB in non-embedded Mbox path
    - LP: #1440156
  * be2iscsi: Fix exposing Host in sysfs after adapter initialization is
    complete
    - LP: #1440156
  * be2iscsi: Fix interrupt Coalescing mechanism.
    - LP: #1440156
  * be2iscsi: Fix TCP parameters while connection offloading.
    - LP: #1440156
  * be2iscsi: Fix memory corruption in MBX path
    - LP: #1440156
  * be2iscsi: Fix destroy MCC-CQ before MCC-EQ is destroyed
    - LP: #1440156
  * be2iscsi: add an missing goto in error path
    - LP: #1440156
  * be2iscsi: remove potential junk pointer free
    - LP: #1440156
  * be2iscsi: Fix memory leak in mgmt_set_ip()
    - LP: #1440156
  * be2iscsi: Fix the sparse warning introduced in previous submission
    - LP: #1440156
  * be2iscsi: Fix updating the boot enteries in sysfs
    - LP: #1440156
  * be2iscsi: Fix processing CQE before connection resources are freed
    - LP: #1440156
  * be2iscsi : Fix kernel panic during reboot/shutdown
    - LP: #1440156
  * fixed invalid assignment of 64bit mask to host dma_boundary for scatter
    gather segment boundary limit.
    - LP: #1440156
  * quota: Store maximum space limit in bytes
    - LP: #1441284
  * ip: zero sockaddr returned on error queue
    - LP: #1441284
  * net: rps: fix cpu unplug
    - LP: #1441284
  * ipv6: stop sending PTB packets for MTU < 1280
    - LP: #1441284
  * netxen: fix netxen_nic_poll() logic
    - LP: #1441284
  * udp_diag: Fix socket skipping within chain
    - LP: #1441284
  * ping: Fix race in free in receive path
    - LP: #1441284
  * bnx2x: fix napi poll return value for repoll
    - LP: #1441284
  * net: don't OOPS on socket aio
    - LP: #1441284
  * bridge: dont send notification when skb->len == 0 in rtnl_bridge_notify
    - LP: #1441284
  * ipv4: tcp: get rid of ugly unicast_sock
    - LP: #1441284
  * ppp: deflate: never return len larger than output buffer
    - LP: #1441284
  * net: sctp: fix passing wrong parameter header to param_type2af in
    sctp_process_param
    - LP: #1441284
  * ARM: pxa: add regulator_has_full_constraints to corgi board file
    - LP: #1441284
  * ARM: pxa: add regulator_has_full_constraints to poodle board file
    - LP: #1441284
  * ARM: pxa: add regulator_has_full_constraints to spitz board file
    - LP: #1441284
  * hx4700: regulator: declare full constraints
    - LP: #1441284
  * HID: input: fix confusion on conflicting mappings
    - LP: #1441284
  * HID: fixup the conflicting keyboard mappings quirk
    - LP: #1441284
  * megaraid_sas: disable interrupt_mask before enabling hardware
    interrupts
    - LP: #1441284
  * PCI: Generate uppercase hex for modalias var in uevent
    - LP: #1441284
  * usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN
    - LP: #1441284
  * tty/serial: at91: enable peripheral clock before accessing I/O
    registers
    - LP: #1441284
  * tty/serial: at91: fix error handling in atmel_serial_probe()
    - LP: #1441284
  * axonram: Fix bug in direct_access
    - LP: #1441284
  * ksoftirqd: Enable IRQs and call cond_resched() before poking RCU
    - LP: #1441284
  * TPM: Add new TPMs to the tail of the list to prevent inadvertent change
    of dev
    - LP: #1441284
  * char: tpm: Add missing error check for devm_kzalloc
    - LP: #1441284
  * tpm_tis: verify interrupt during init
    - LP: #1441284
  * tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma
    - LP: #1441284
  * tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send
    - LP: #1441284
  * tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO
    - LP: #1441284
  * mmc: sdhci-pxav3: fix unbalanced clock issues during probe
    - LP: #1441284
  * iwlwifi: mvm: validate tid and sta_id in ba_notif
    - LP: #1441284
  * power: bq24190: Fix ignored supplicants
    - LP: #1441284
  * ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3
    - LP: #1441284
  * Bluetooth: ath3k: Add support of AR3012 bluetooth 13d3:3423 device
    - LP: #1411193, #1441284
  * cfq-iosched: fix incorrect filing of rt async cfqq
    - LP: #1441284
  * smack: fix possible use after frees in task_security() callers
    - LP: #1441284
  * xfs: ensure buffer types are set correctly
    - LP: #1441284
  * xfs: inode unlink does not set AGI buffer type
    - LP: #1441284
  * xfs: set buf types when converting extent formats
    - LP: #1441284
  * xfs: set superblock buffer type correctly
    - LP: #1441284
  * btrfs: set proper message level for skinny metadata
    - LP: #1441284
  * KVM: s390: base hrtimer on a monotonic clock
    - LP: #1441284
  * PCI: Fix infinite loop with ROM image of size 0
    - LP: #1441284
  * USB: cp210x: add ID for RUGGEDCOM USB Serial Console
    - LP: #1441284
  * clk: zynq: Force CPU_2X clock to be ungated
    - LP: #1441284
  * mmc: sdhci-pxav3: Remove checks for mandatory host clock
    - LP: #1441284
  * mmc: sdhci-pxav3: fix race between runtime pm and irq
    - LP: #1441284
  * power_supply: 88pm860x: Fix leaked power supply on probe fail
    - LP: #1441284
  * staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back
    - LP: #1441284
  * mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles
    - LP: #1441284
  * ARM: 8284/1: sa1100: clear RCSR_SMR on resume
    - LP: #1441284
  * usb: musb: omap2plus bus glue needs USB host support
    - LP: #1441284
  * USB: add flag for HCDs that can't receive wakeup requests (isp1760-hcd)
    - LP: #1441284
  * USB: fix use-after-free bug in usb_hcd_unlink_urb()
    - LP: #1441284
  * iwlwifi: mvm: always use mac color zero
    - LP: #1441284
  * iwlwifi: pcie: disable the SCD_BASE_ADDR when we resume from WoWLAN
    - LP: #1441284
  * vt: provide notifications on selection changes
    - LP: #1441284
  * tty: Prevent untrappable signals from malicious program
    - LP: #1441284
  * cpufreq: Set cpufreq_cpu_data to NULL before putting kobject
    - LP: #1441284
  * lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in
    interrupt urb
    - LP: #1441284
  * mei: mask interrupt set bit on clean reset bit
    - LP: #1441284
  * mei: me: release hw from reset only during the reset flow
    - LP: #1441284
  * MIPS: KVM: Deliver guest interrupts after local_irq_disable()
    - LP: #1441284
  * KVM: MIPS: Don't leak FPU/DSP to guest
    - LP: #1441284
  * ALSA: hda - Add the pin fixup for HP Envy TS bass speaker
    - LP: #1441284
  * ALSA: hda - Set up GPIO for Toshiba Satellite S50D
    - LP: #1441284
  * xen/manage: Fix USB interaction issues when resuming
    - LP: #1441284
  * drm/i915: Correct the IOSF Dev_FN field for IOSF transfers
    - LP: #1441284
  * cfq-iosched: handle failure of cfq group allocation
    - LP: #1441284
  * tracing: Fix unmapping loop in tracing_mark_write
    - LP: #1441284
  * fsnotify: fix handling of renames in audit
    - LP: #1441284
  * drm/radeon: workaround for CP HW bug on CIK
    - LP: #1441284
  * drm/radeon: only enable kv/kb dpm interrupts once v3
    - LP: #1441284
  * NFSv4.1: Fix a kfree() of uninitialised pointers in
    decode_cb_sequence_args
    - LP: #1441284
  * cpufreq: speedstep-smi: enable interrupts when waiting
    - LP: #1441284
  * mm/hugetlb: pmd_huge() returns true for non-present hugepage
    - LP: #1441284
  * mm: cleanup follow_page_mask()
    - LP: #1441284
  * mm/hugetlb: take page table lock in follow_huge_pmd()
    - LP: #1441284
  * mm/hugetlb: fix getting refcount 0 page in hugetlb_fault()
    - LP: #1441284
  * mm/hugetlb: add migration/hwpoisoned entry check in
    hugetlb_change_protection
    - LP: #1441284
  * mm/hugetlb: add migration entry check in __unmap_hugepage_range
    - LP: #1441284
  * mm: softdirty: unmapped addresses between VMAs are clean
    - LP: #1441284
  * proc/pagemap: walk page tables under pte lock
    - LP: #1441284
  * mm: when stealing freepages, also take pages created by splitting buddy
    page
    - LP: #1441284
  * mm/mmap.c: fix arithmetic overflow in __vm_enough_memory()
    - LP: #1441284
  * mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()
    - LP: #1441284
  * iscsi-target: Drop problematic active_ts_list usage
    - LP: #1441284
  * target: Fix PR_APTPL_BUF_LEN buffer size limitation
    - LP: #1441284
  * mm/compaction: fix wrong order check in compact_finished()
    - LP: #1441284
  * mm/memory.c: actually remap enough memory
    - LP: #1441284
  * mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page()
    - LP: #1441284
  * ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE
    - LP: #1441284
  * drm/radeon/dp: Set EDP_CONFIGURATION_SET for bridge chips if necessary
    - LP: #1441284
  * drm/radeon: fix voltage setup on hawaii
    - LP: #1441284
  * ALSA: hdspm - Constrain periods to 2 on older cards
    - LP: #1441284
  * jffs2: fix handling of corrupted summary length
    - LP: #1441284
  * dm mirror: do not degrade the mirror on discard error
    - LP: #1441284
  * dm io: reject unsupported DISCARD requests with EOPNOTSUPP
    - LP: #1441284
  * target: Add missing WRITE_SAME end-of-device sanity check
    - LP: #1441284
  * target: Check for LBA + sectors wrap-around in sbc_parse_cdb
    - LP: #1441284
  * Btrfs: fix fsync data loss after adding hard link to inode
    - LP: #1441284
  * Added Little Endian support to vtpm module
    - LP: #1441284
  * sg: fix read() error reporting
    - LP: #1441284
  * IB/qib: Do not write EEPROM
    - LP: #1441284
  * md/raid5: Fix livelock when array is both resyncing and degraded.
    - LP: #1441284
  * dm: fix a race condition in dm_get_md
    - LP: #1441284
  * dm snapshot: fix a possible invalid memory access on unload
    - LP: #1441284
  * cpufreq: s3c: remove incorrect __init annotations
    - LP: #1441284
  * libceph: assert both regular and lingering lists in __remove_osd()
    - LP: #1441284
  * libceph: change from BUG to WARN for __remove_osd() asserts
    - LP: #1441284
  * libceph: fix double __remove_osd() problem
    - LP: #1441284
  * MIPS: Export FP functions used by lose_fpu(1) for KVM
    - LP: #1441284
  * kdb: fix incorrect counts in KDB summary command output
    - LP: #1441284
  * blk-throttle: check stats_cpu before reading it from sysfs
    - LP: #1441284
  * procfs: fix race between symlink removals and traversals
    - LP: #1441284
  * autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for
    allocation
    - LP: #1441284
  * pktgen: fix UDP checksum computation
    - LP: #1441284
  * ipv6: fix ipv6_cow_metrics for non DST_HOST case
    - LP: #1441284
  * clk-gate: fix bit # check in clk_register_gate()
    - LP: #1441284
  * ALSA: off by one bug in snd_riptide_joystick_probe()
    - LP: #1441284
  * ath5k: fix spontaneus AR5312 freezes
    - LP: #1441284
  * pinctrl: pinctrl-imx: don't use invalid value of conf_reg
    - LP: #1441284
  * ALSA: hda - Add one more node in the EAPD supporting candidate list
    - LP: #1436745, #1441284
  * ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec
    - LP: #1441284
  * drm/i915/bdw: PCI IDs ending in 0xb are ULT.
    - LP: #1441284
  * xfs: Fix quota type in quota structures when reusing quota file
    - LP: #1441284
  * gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one
    chip per node
    - LP: #1441284
  * gpio: tps65912: fix wrong container_of arguments
    - LP: #1441284
  * ALSA: pcm: Don't leave PREPARED state after draining
    - LP: #1441284
  * metag: Fix KSTK_EIP() and KSTK_ESP() macros
    - LP: #1441284
  * md/raid1: fix read balance when a drive is write-mostly.
    - LP: #1441284
  * drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh
    - LP: #1441284
  * drm/radeon: fix 1 RB harvest config setup for TN/RL
    - LP: #1441284
  * arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big
    endian
    - LP: #1441284
  * nilfs2: fix potential memory overrun on inode
    - LP: #1441284
  * HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events
    - LP: #1441284
  * Linux 3.13.11-ckt18
    - LP: #1441284
  * ipv6: Don't reduce hop limit for an interface
    - LP: #1441103
    - CVE-2015-2922
  * x86/microcode/intel: Guard against stack overflow in the loader
    - LP: #1438504
    - CVE-2015-2666
 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>   Tue, 14 Apr 2015 21:38:57 +0100

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1439441

Title:
  Kernel provides incomplete audit information when an existing
  monitored file is modified

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Utopic:
  Fix Released
Status in linux source package in Vivid:
  Fix Released

Bug description:
  [Impact]
  The audit system cannot identify the correct path of the monitored file.

  The trusty kernel and utopic kernel both suffer the bug.

  root@node-7:~# echo "lalala" >> /etc/testfile 
  "sudo tail -f /var/log/audit/audit.log" results in the following auditd entry: 
  <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c000003e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=7ffff3cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change" 
  <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root" 
  <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT 
  <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL 
  <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL 
  <14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229): 
  the file modified is referenced only by inode : 1582123 

  With non-buggy kernel (e.g. 3.2.0-72-generic) the output is: 
  root@atlas:/tmp# echo "lalal" >> /etc/testfile 
  "sudo tail -f /var/log/audit/audit.log" produces the following output: 
  Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c000003e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change" 
  Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp" 
  Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 
  Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825):

  [Fix]
  commit 4a92843601ad0f5067f441d2f0dca55bbe18c076
  Author: Paul Moore <pmoore@xxxxxxxxxx>
  Date:   Mon Dec 22 12:27:39 2014 -0500

      audit: correctly record file names with different path name types
      
      There is a problem with the audit system when multiple audit records
      are created for the same path, each with a different path name type.
      The root cause of the problem is in __audit_inode() when an exact
      match (both the path name and path name type) is not found for a
      path name record; the existing code creates a new path name record,
      but it never sets the path name in this record, leaving it NULL.
      This patch corrects this problem by assigning the path name to these
      newly created records.
      
      There are many ways to reproduce this problem, but one of the
      easiest is the following (assuming auditd is running):
      
        # mkdir /root/tmp/test
        # touch /root/tmp/test/567
        # auditctl -a always,exit -F dir=/root/tmp/test
        # touch /root/tmp/test/567
      
      Afterwards, or while the commands above are running, check the audit
      log and pay special attention to the PATH records.  A faulty kernel
      will display something like the following for the file creation:
      
        type=SYSCALL msg=audit(1416957442.025:93): arch=c000003e syscall=2
          success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
        type=CWD msg=audit(1416957442.025:93):  cwd="/root/tmp"
        type=PATH msg=audit(1416957442.025:93): item=0 name="test/"
          inode=401409 ... nametype=PARENT
        type=PATH msg=audit(1416957442.025:93): item=1 name=(null)
          inode=393804 ... nametype=NORMAL
        type=PATH msg=audit(1416957442.025:93): item=2 name=(null)
          inode=393804 ... nametype=NORMAL
      
      While a patched kernel will show the following:
      
        type=SYSCALL msg=audit(1416955786.566:89): arch=c000003e syscall=2
          success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
        type=CWD msg=audit(1416955786.566:89):  cwd="/root/tmp"
        type=PATH msg=audit(1416955786.566:89): item=0 name="test/"
          inode=401409 ... nametype=PARENT
        type=PATH msg=audit(1416955786.566:89): item=1 name="test/567"
          inode=393804 ... nametype=NORMAL
      
      This issue was brought up by a number of people, but special credit
      should go to hujianyang@xxxxxxxxxx for reporting the problem along
      with an explanation of the problem and a patch.  While the original
      patch did have some problems (see the archive link below), it did
      demonstrate the problem and helped kickstart the fix presented here.
      
        * https://lkml.org/lkml/2014/9/5/66
      
      Reported-by: hujianyang <hujianyang@xxxxxxxxxx>
      Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
      Acked-by: Richard Guy Briggs <rgb@xxxxxxxxxx>

  $ git describe --contains 4a92843601ad0f5067f441d2f0dca55bbe18c076
  v3.19-rc2~7^2~1

  [Test case]
  - Install any one of the kernel from 3.13 ~ 3.19rc2
  - sudo apt-get install -y auditd
  - sudo vim /etc/audit/audit.rules
  -D
  -b 1024
  -w /etc/     -p wa -k system_configuration_change
  -w /usr/bin  -p wa -k system_binary_change
  -w /usr/sbin -p wa -k system_binary_change
  -w /bin/     -p wa -k system_binary_change
  -w /usr/bin/sudo   -F auid!=nova -F uid!=nova -F auid!=neutron -F uid!=neutron -F auid!=cinder -F uid!=cinder -F auid!=zabbix -F uid!=zabbix  -p x -k privilege_escalation
  -w /bin/su           -p x -k privilege_escalation
  -w /bin/mount -p x -k filesystem_modification
  -w /bin/umount -p x -k filesystem_modification
  -w /bin/chown -p x -k filesystem_modification
  -w /bin/chgrp -p x -k filesystem_modification
  -w /bin/chmod -p x -k filesystem_modification
  -w /var/log -p wra -F auid>10000 -F auid!=4294967295 -k system_logs_access
  -a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S clock_settime -k time-change_syscall
  -a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S clock_settime -k time-change_syscall
  -a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S chroot -S mount -S umount2 -k filesystem_modification_syscall
  -a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S chroot -S mount -S umount2 -k filesystem_modification_syscall
  -a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S kill -S tkill -S tgkill -k process_termination_syscall
  -a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S kill -S tkill -S tgkill -k process_termination_syscall
  -a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S sethostname -S setdomainname -k system-locale
  -a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S sethostname -S setdomainname -k system-locale
  -a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b64 -S execve -k audit_trail
  -a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b32 -S execve -k audit_trail

  - sudo vim /etc/audit/auditd.conf
  log_format = RAW
  priority_boost = 3
  disp_qos = lossless
  dispatcher = /sbin/audispd
  name_format = hostname
  space_left = 75
  space_left_action = SYSLOG
  action_mail_acct = root
  admin_space_left = 50
  admin_space_left_action = SYSLOG
  disk_full_action = SYSLOG
  disk_error_action = SYSLOG

  - sudo su
  - # echo "lalala" >>  /etc/testfile
  - Open another console: $ sudo tail -f /var/log/audit/audit.log

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1439441/+subscriptions


References