From: Steve Grubb <sgrubb@redhat.com>
To: Samuel Bahr <sbahr@pinterest.com>
Cc: linux-audit@redhat.com
Subject: Re: Cannot disable kernel's audit system via auditctl
Date: Tue, 25 Jul 2023 13:05:51 -0400 [thread overview]
Message-ID: <2241383.iZASKD2KPV@x2> (raw)
In-Reply-To: <CAG0SdGBHnFLf=DDMwvyYyctfq3YcA3RUzuEibMdDbxTCuwFxZA@mail.gmail.com>
On Monday, July 24, 2023 5:06:02 PM EDT Samuel Bahr wrote:
> `auditctl -D` does not make it go away (outputs `No rules`). auditd isn't
> running at all and this behavior is happening purely from the kernel. These
> systems were never set to enabled 2 (locked).
>
> I went ahead and filed a Github issue for this thread:
> https://github.com/linux-audit/audit-kernel/issues/146
>
> The maintainer there suggested it's too difficult to debug due to eBPF
> programs + AWS's modified kernel.
I think there is data that could help decide where the problem might be. On
one of the systems that is still logging, try running an event type report:
aureport --start yesterday --event --summary -i
This should identify what kind of event is being emitted. Based on that, it
might point to where the problem is.
> I've resigned to asking Red Canary to support eBPF mode with `audit=0`
> kernel parameter in their Linux EDR. Let me know if you have any other
> ideas.
I'd say collecting summary information about what kind of events are being
logged would be a good start.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2023-07-25 17:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-29 22:34 Cannot disable kernel's audit system via auditctl Samuel Bahr
2023-07-24 0:17 ` Steve Grubb
2023-07-24 21:06 ` Samuel Bahr
2023-07-25 17:05 ` Steve Grubb [this message]
2023-07-25 20:59 ` Samuel Bahr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2241383.iZASKD2KPV@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=sbahr@pinterest.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.