go-audit on ubuntu sending an "event" every 5 seconds with no related audit rule
jamiesonbc opened this issue · comments
- I've read and understood the Contributing guidelines and have done my best effort to follow them.
- I've read and agree to the Code of Conduct.
- I've searched for any related issues and avoided creating a duplicate issue.
Description
compiled on both ubuntu and redhat. When running on redhat, nothing is logged until an event happens which is expected. On ubuntu, usng the same exact yaml file, the following entry is generated every 5 seconds ( example of two messages )
[root@ld4643 tmp]# nc -u -l 514 | tee audit.out
<129>2016-12-19T14:34:43-05:00 ld4645 audit-thing[6000]: {"sequence":10672,"timestamp":"1482176078.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}
<129>2016-12-19T14:34:48-05:00 ld4645 audit-thing[6000]: {"sequence":10673,"timestamp":"1482176083.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}
Reproducible in:
go-audit version:
OS version(s):
root@ld4645:/home/bxj6191# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
[root@ld4643 tmp]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)#### Steps to reproduce:
The following rules were added to the YAML file
-w /tmp/bxj6191/ -p wa -k selinux_changes
-w /tmp/bxj6191/test_audit -p x -k module_insertion
- start nc on other server
- start go-audit on ubuntu
- messages start appearing in the log
Expected result:
no entries added to log until rule is applicable
Actual result:
entry added every 5 seconds
[root@ld4643 tmp]# nc -u -l 514 | tee audit.out
<129>2016-12-19T14:34:43-05:00 ld4645 audit-thing[6000]: {"sequence":10672,"timestamp":"1482176078.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}
<129>2016-12-19T14:34:48-05:00 ld4645 audit-thing[6000]: {"sequence":10673,"timestamp":"1482176083.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}
Attachments:
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
root@ld4645:/home/bxj6191# export GOROOT=/home/bxj6191/go/
root@ld4645:/home/bxj6191# go version
go version go1.7 linux/amd64
root@ld4645:/home/bxj6191# govendor -version
v1.0.8
This is expected, basically go-audit is ensuring that still holds the netlink socket to talk to kernel audit. This isn't a requirement on newer kernels but on Ubuntu 14.04 (kernel v3.13) there can be only one process talking to that netlink socket and there is no way of knowing that something took the connection away from go-audit.
If you don't want to see them you can add a filter rule, this should work but I haven't tested it.
filters:
- syscall: 0
message_type: 1305
regex: .*
added filter but still coming in. While we probably won't be using this version of ubuntu, it would be nice to see the filter actually work.
If you rebuild against master and use this filter you won't see the 1305 messages anymore
filters:
- syscall: ""
message_type: 1305
regex: .*
thank you that fixed it.
This doesn't work any more in the latest master in 2018.
audit.go line 299:
if af.syscall == "" {
return filters, fmt.Errorf("Filter %d is missing the syscall entry", i+1)
}
How can I skip message_type 1305? My audit logs are overwhelmingly full of it.