Giters

slackhq / go-audit

go-audit is an alternative to the auditd daemon that ships with many distros

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

"type":1305 AUDIT_CONFIG_CHANGE log noise

rohanc opened this issue · comments

commented
  • [x ] I've read and understood the Contributing guidelines and have done my best effort to follow them.
  • [x ] I've read and agree to the Code of Conduct.
  • [x ] I've searched for any related issues and avoided creating a duplicate issue.

Description

When I run go-audit it logs AUDIT_CONFIG_CHANGE messages every few seconds. Any idea why this is happening? I don't see this when running ordinary auditd.

Reproducible in:

go-audit version: dev+20200629015509
I also tried with version 1.00 and got the same result.
OS version(s): Ubuntu 20.04 LTS
kernel 5.4.0-39-generic
go v1.13.8

Steps to reproduce:

  1. go-audit /etc/example.yaml
    example.yaml is an umodified copy of go-audit.yaml.example

Expected result:

e.g. What you expected to happen

No AUDIT_CONFIG_CHANGE messages.
A similar volume of messages as when I run auditd with the same rules.

Actual result:

{"sequence":904,"timestamp":"1593402441.566","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":905,"timestamp":"1593402446.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":906,"timestamp":"1593402451.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}

commented

It is caused by this bit of code meant to keep ownership of the netlink socket in the event someone or something else tries to take it https://github.com/slackhq/go-audit/blob/master/client.go#L138

You can filter it out via the config https://github.com/slackhq/go-audit/blob/master/examples/go-audit/go-audit.yaml#L37

filters:
  - message_type: 1305
    regex: .*
commented

Thanks, I've enabled the filter, but I'm wondering if there is an unnecessary performance impact by having this safety mechanism trigger every few seconds? I gather normal auditd manages without it.

I'm also wondering if the filter would prevent logging about actual changes to audit configuration via the audictl command, so perhaps an option to disable this 'keep ownership' code would be helpful?

If you feel it's important to retain then adding the filter to go-audit.yaml.example would at least help users understand what's going on.