extras.go does not support disabled container auditing
gemotephone opened this issue · comments
- I've read and understood the Contributing guidelines and have done my best effort to follow them.
- I've read and agree to the Code of Conduct.
- I've searched for any related issues and avoided creating a duplicate issue.
Description
Using the provided go-audit.yaml.example prevents the go-audit service from starting. To resolve the issue, you can edit the example configuration file to enable container monitoring
Reproducible in:
go-audit version:
latest git clone at 42f8f96
OS version(s):
Ubuntu 18.04.4 LTS
Steps to reproduce:
- Clone latest version of repo, follow instructions to build (used go version go1.13.7 linux/amd64)
- Copy go-audit.yaml.example to go-audit.yaml. Run generated binary with
sudo ./go-audit -config go-audit.yamlor as root with./go-audit -config go-audit.yaml
extras:
containers:
enabled: false
# if enabled, make requests to the local docker daemon for extra container details
docker: false
docker_api_version: 1.24
# number of pid -> container_id mappings to cache (0 means disable cache)
pid_cache: 0
# number of container_id -> docker_details to cache (0 means disable cache)
docker_cache: 0
- Optionally, and for this test, I modified
extras.goto print more debug information. The steps can be reproduced without this modification.
4 import "fmt"
.....
30 func (ps ExtraParsers) Parse(am *AuditMessage) {
31 for _, p := range ps {
32 fmt.Printf("%#v, %#v", p, ps)
33 p.Parse(am)
34 }
35 }
-
Observe errors in console
-
Edit the configuration file to set values to true
extras:
containers:
enabled: true
# if enabled, make requests to the local docker daemon for extra container details
docker: true
docker_api_version: 1.24
# number of pid -> container_id mappings to cache (0 means disable cache)
pid_cache: 0
# number of container_id -> docker_details to cache (0 means disable cache)
docker_cache: 0
- Restart service and observe successful event auditing.
$ sudo ./go-audit -config examples/go-audit/go-audit2.yaml
Flushed existing audit rules
Added audit rule #1
Added audit rule #2
Added audit rule #3
Ignoring syscall `49` containing message type `1306` matching string `saddr=(10..|0A..)`
Socket receive buffer size: 32768
ContainerParser enabled (docker=true pid_cache=0 docker_cache=0)
Started processing events in the range [1300, 1399]
{"sequence":23099,"timestamp":"1580767369.656","messages":[{"type":1305,"data":"audit_pid=2067 old=0 auid=1000 ses=3 res=1"}],"uid_map":{"1000":"computer"}}
Expected result:
Without modifications to the example file, service starts, begins collecting audit data. This should also support instances where Docker is not installed on a host.
Actual result:
[remotephone@computer:~/gits/work/go-audit]
$ sudo ./go-audit -config go-audit.yaml
Flushed existing audit rules
Added audit rule #1
Added audit rule #2
Added audit rule #3
Ignoring syscall `49` containing message type `1306` matching string `saddr=(10..|0A..)`
Socket receive buffer size: 32768
Started processing events in the range [1300, 1399]
<nil>, main.ExtraParsers{main.ExtraParser(nil)}panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x94e708]
goroutine 1 [running]:
main.ExtraParsers.Parse(0xc00030cc40, 0x1, 0x1, 0xc000292ec0)
/home/remotephone/gits/work/go-audit/extras.go:33 +0x148
main.(*AuditMarshaller).Consume(0xc000225e60, 0xc000317050)
/home/remotephone/gits/work/go-audit/marshaller.go:97 +0xf9
main.main()
/home/remotephone/gits/work/go-audit/audit.go:420 +0x674
Attachments:
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
Thanks for the report! I have prepared a fix with PR #70 if you want to test it out.
I merged #70, can you re-test and report back if you are still having issues? Thanks!
Hi @wadey, I was able to test just a bit ago and things look good. Really appreciate the quick response and turn around on this fix.