From: Steve Grubb <sgrubb@redhat.com>
To: Brad Zynda <bradley.v.zynda@nasa.gov>
Cc: linux-audit@redhat.com
Subject: Re: Systemd Journald and audit logging causing journal issues
Date: Tue, 17 Oct 2017 12:25:55 -0400 [thread overview]
Message-ID: <3043788.HjMLctvUJC@x2> (raw)
In-Reply-To: <eb85c124-3995-eaa7-ed3b-d12bf630ff15@nasa.gov>
On Tuesday, October 17, 2017 11:40:12 AM EDT Brad Zynda wrote:
> Hey Steve,
>
> No problem you guys are busy with updates..
>
> So I kind of stepped into a known issue with a current disagreement
> between the 2 maintainers?
Its not a disagreement. Its systemd wants to do everything. Its a crond/
xinetd/syslogd/auditd/core dump collector/udev/login service/fstab/fs
automounter/container manager/file system monitor/resource manager/daemon
watchdog and oh by the way, it does init.
> what can be done to resolve this going
> forward as it is killing services in production environments?
End users have to take the situation into their own hands. There are
configuration knobs for a reason. More info here:
https://bugzilla.redhat.com/show_bug.cgi?id=1227379
> I agree with the need not to remove auditing as this is a slippery slope
> and should not occur but the decision was based on little documentation
> in regards to the problem and loss of service, I will look at further
> checking in hopes to find the specific rule. Though I think the latter
> to fix the issue is the appropriate avenue.
Figuring out which rule is triggering is the best solution. It may turn out
you just have a busy system. But most of the time its a bad rule.
> The rules have been put in place across many organizations that check
> with tools like CIS-CAT and OSCAP, so a lot of rules and a point of
> possible single failure.
They make mistakes, too.
> In regards to the audit.socket what is the expected outcome of masking
> this service?
The expected outcome is that journald stops getting audit records. It doesn't
solve the problem of why you are getting so many events. Fixing the rule does
that.
-Steve
> On 10/17/2017 11:25 AM, Steve Grubb wrote:
> > Hello,
> >
> > I apologize for the late reply...just found the message.
> >
> > On Monday, October 2, 2017 1:30:19 PM EDT Brad Zynda wrote:
> >> I am sending along an issue brought to the systemd-journald dev list
> >> initially:
> >>
> >> On 10/02/2017 11:40 AM, Lennart Poettering wrote:
> >>> On Mo, 02.10.17 11:25, Brad Zynda (bradley.v.zynda@nasa.gov) wrote:
> >>>> Sep 28 13:50:03 server systemd-journal[565]: Suppressed 73244 messages
> >>>> from /system.slice/auditd.service
> >>>
> >>> The question is: why does auditd even log to the journal?
> >
> > It doesn't. I have had many arguments with the systemd people about
> > polluting syslog with audit events. If we wanted audit events there, we
> > would have wrote them there. The journal is listening on a multicast
> > audit socket that was created just for them and using a posix capability
> > that was created just for them. And journal also turns on auditing even
> > if you didn't want it. In short, they have, with intention, created your
> > problem.
> >
> >>>> Now we are required to have full audit rules and does this look like at
> >>>> rate limiting issue or an issue of journal not able to handle the
> >>>> traffic to logging?
> >>>
> >>> journald detected that it got flooded with too many messages in too
> >>> short a time from auditd. if this happens then something is almost
> >>> certainly off with auditd, as auditd is not supposed to flood journald
> >>> with messages, after all it maintains its own auditing log database.
> >
> > No...that's the way it works. If you want the audit stream, you have to be
> > able to handle it. My suggestion is that we have a separation of duties.
> > Auditd has audit events, journal has syslog. Besides, mixing audit and
> > syslog data means the security officer and system admin roles have been
> > combined. I think there is an audit.socket unit file that can be masked.
> >
> >>> Please ping the auditd folks for help
> >
> > They created the problem of audit events in syslog. That said, its been my
> > experience that whenever you get lots of events, there may be something
> > wrong with your rules.
> >
> > The normal technique to figure out what wrong is to run aureport --summary
> > --key during the time range of the flood to see what rule is triggering.
> > Then we can look at that rule to see if there's something wrong with it.
> >
> > More below...
> >
> >> Hey Everyone,
> >>
> >> Not sure if this is a bug so:
> >>
> >> systemctl status -l systemd-journald.service
> >> ● systemd-journald.service - Journal Service
> >>
> >> Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service;
> >>
> >> static; vendor preset: disabled)
> >>
> >> Active: active (running) since Tue 2017-09-26 20:01:16 UTC; 5 days ago
> >>
> >> Docs: man:systemd-journald.service(8)
> >>
> >> man:journald.conf(5)
> >>
> >> Main PID: 565 (systemd-journal)
> >>
> >> Status: "Processing requests..."
> >> CGroup: /system.slice/systemd-journald.service
> >>
> >> └─565 /usr/lib/systemd/systemd-journald
> >>
> >> Sep 28 13:50:03 server systemd-journal[565]: Suppressed 73244 messages
> >> from /system.slice/auditd.service
> >> Sep 28 13:51:03 server systemd-journal[565]: Suppressed 98979 messages
> >> from /system.slice/auditd.service
> >> Sep 28 13:52:03 server systemd-journal[565]: Suppressed 109433 messages
> >> from /system.slice/auditd.service
> >> Sep 28 13:53:03 server systemd-journal[565]: Suppressed 99788 messages
> >> from /system.slice/auditd.service
> >> Sep 28 13:54:03 server systemd-journal[565]: Suppressed 111605 messages
> >> from /system.slice/auditd.service
> >> Sep 28 13:55:03 server systemd-journal[565]: Suppressed 111591 messages
> >> from /system.slice/auditd.service
> >> Sep 28 13:56:03 server systemd-journal[565]: Suppressed 107947 messages
> >> from /system.slice/auditd.service
> >> Sep 28 13:57:51 server systemd-journal[565]: Suppressed 32760 messages
> >> from /system.slice/auditd.service
> >> Sep 28 17:21:40 server systemd-journal[565]: Suppressed 210 messages
> >> from /system.slice/auditd.service
> >> Oct 01 02:16:01 server systemd-journal[565]: Suppressed 1333 messages
> >> from /system.slice/auditd.service
> >>
> >> journalctl --verify
> >> PASS: /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system.journal
> >> PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-000000000097f6c7-0005596b745b4d1c.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-000000000096a587-00055966f35ae59a.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-00000000009554f1-000559629c4cdb7e.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-0000000000940591-0005595e1811a2d1.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-000000000092b500-00055959f2de5ede.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-0000000000916479-0005595573137b74.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-0000000000901337-00055950d80cc3d8.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-00000000008ec2fb-0005594cad14b07a.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-00000000008d7373-0005594838683e58.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-00000000008c238e-00055943fe2072e3.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-00000000008ad1d9-0005593ff64a4f69.journal PASS:
> >> /run/log/journal/d28b0080ffe0432a974f36e4fb4bfa9b/system@0d49221d68d04ef0
> >> b95 d8203c5e96a46-0000000000897f32-0005593e18c5758b.journal
> >>
> >>
> >> journalctl --disk-usage
> >> Archived and active journals take up 1.1G on disk.
> >>
> >>
> >> Initially we saw:
> >> 16733 PATH
> >> 5070 SYSCALL
> >> 5024 CWD
> >> 3765 AVC
> >> 323 CRYPTO_KEY_USER
> >> 223 USER_START
> >> 222 USER_ACCT
> >> 222 CRED_ACQ
> >> 220 LOGIN
> >> 220 CRED_REFR
> >> 218 USER_END
> >> 218 CRED_DISP
> >> 46 USER_LOGIN
> >> 12 EXECVE
> >> 4 USER_AUTH
> >> 2 CRYPTO_SESSION
> >> 1 USER_ROLE_CHANGE
> >> 1 USER_CMD
> >> 1 SERVICE_STOP
> >> 1 SERVICE_START
> >> 1 BPRM_FCAPS
> >>
> >> so we blocked type PATH in audit.rules
> >
> > This is not the right thing to do. If a security officer asks what is
> > being
> > accessed, you got rid of the information. The right thing is to figure out
> > which rule is being hit and see if something is wrong with it. For
> > example, I have seen people do this:
> >
> > -a always,exit -S open,openat -F exit=-EPERM
> >
> > The problem is that they did not restrict the rule an architecture and
> > they
> > were getting lots of events for the wrong syscall. I've also seen people
> > add -F success 0 to an open syscall. This also results in a large number
> > of events.
> >
> > So, I'd recommend making sure all rules have keys added and the running
> > the
> > key summary report to see what rule needs inspection.
> >
> > If you find the rule that's causing the problem and you want an opinion,
> > send it to the mail list.
> >
> > -Steve
> >
> >> But we are still seeing 100K of dropped/suppressed messages.
> >>
> >> Note: systemloglevel = INFO
> >>
> >> Centos 7 1708 3.10.0-693.2.2.el7.x86_64
> >>
> >> systemd.x86_64 219-42.el7_4.1
> >>
> >>
> >> Now we are required to have full audit rules and does this look like at
> >> rate limiting issue or an issue of journal not able to handle the
> >> traffic to logging?
> >>
> >> Error we are seeing from services that have silently failed, in this
> >> case glassfish..
> >>
> >> systemctl status -l glassfish
> >> ● glassfish.service - SYSV: GlassFish start and stop daemon
> >>
> >> Loaded: loaded (/etc/rc.d/init.d/glassfish; bad; vendor preset:
> >> disabled)
> >>
> >> Active: active (exited) since Tue 2017-09-26 20:01:36 UTC; 5 days ago
> >> Docs:
> >> man:systemd-sysv-generator(8)
> >>
> >> Process: 1328 ExecStart=/etc/rc.d/init.d/glassfish start (code=exited,
> >>
> >> status=0/SUCCESS)
> >>
> >> Warning: Journal has been rotated since unit was started. Log output is
> >> incomplete or unavailable.
> >>
> >> Eventually glassfish will fail but it wont kill the service so we never
> >> get an nms service down trap from the OID.
> >>
> >> Please let me know if further info is needed or if certain limits need
> >> to be adjusted.
> >>
> >> Thanks,
> >> Brad Zynda
> >>
> >>
> >> --
> >> Linux-audit mailing list
> >> Linux-audit@redhat.com
> >> https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2017-10-17 16:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 17:30 Systemd Journald and audit logging causing journal issues Brad Zynda
2017-10-17 15:25 ` Steve Grubb
2017-10-17 15:40 ` Brad Zynda
2017-10-17 16:25 ` Steve Grubb [this message]
2017-10-17 17:13 ` Brad Zynda
2017-10-18 15:14 ` Brad Zynda
2017-10-18 15:40 ` Steve Grubb
2017-10-18 16:13 ` Brad Zynda
2017-10-18 16:26 ` Steve Grubb
2017-10-18 16:32 ` Brad Zynda
2017-10-18 23:27 ` Steve Grubb
2017-10-19 17:08 ` Brad Zynda
2017-10-19 20:13 ` Steve Grubb
2017-12-01 13:17 ` Brad Zynda
2017-12-01 13:54 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3043788.HjMLctvUJC@x2 \
--to=sgrubb@redhat.com \
--cc=bradley.v.zynda@nasa.gov \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.