Ubuntu 16.10 auditd possible incompatibility
wuurrd opened this issue · comments
- I've read and understood the Contributing guidelines and have done my best effort to follow them.
- I've read and agree to the Code of Conduct.
- I've searched for any related issues and avoided creating a duplicate issue.
Description
When attempting to build and run go-audit I find that no messages are received on ubuntu 16.10. auditctl -l shows the rules being there, but all messages that come in have Seq==0, and they seem to be responses to the config change heartbeat. (used the examples/go-audit/go-audit.yaml but modified to get output to stdout)
Reproducible in:
go-audit
version: 2cd7fc8
OS version(s): Ubuntu server 16.10
Expected result:
We should get messages for the hooked syscalls.
Actual result:
No messages are received
Try disabling auditd
with sudo systemctl stop auditd.service
Feel free to re-open this issue if it is still valid.
This step of running sudo systemctl stop auditd.service
should be better documented.
Do we know why go-audit doesnt work with auditd now?
The reason they don't play well together is that go-audit
and auditd
use a netlink socket to receive audit events from the kernel, only one process can own that socket at a time.
Was there any change on audit netlink? both go-audit and auditd seem working fine together on my vm with older version of linux.
Nope, go-audit
and auditd
are likely fighting each other on the socket in your case. Enable https://github.com/slackhq/go-audit/blob/master/go-audit.yaml.example#L18 and you should see the missed message log lines.
Got it. Thanks.