From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Disabling local logging with write_logs = no
Date: Mon, 03 Dec 2018 10:17:59 -0500 [thread overview]
Message-ID: <1935503.sbb2Ay52bZ@x2> (raw)
In-Reply-To: <CANQ3tOhS1m4qRX3xv0EDxG0tpK5MKFwS1o4BGRMj1_jap6sykg@mail.gmail.com>
On Monday, December 3, 2018 2:13:43 AM EST Kay Mccormick wrote:
> I am trying to log only to a remote machine so I have set:
>
> write_logs = no
>
> in my auditd.conf. Unfortunately, when I restart auditd it does not appear
> to respect my configuration choice.
Accoring to your output, you are running auditd-2.6.7. It has this known bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1382397
> When I run it with 'auditd -f' to keep it in the foreground, it does not
> write the file and i see :
>
> write_logs_parser called with: no
> in the output.
>
> Looking at the source, I see:
>
> if (opt_foreground) {
> config.daemonize = D_FOREGROUND;
> set_aumessage_mode(MSG_STDERR, DBG_YES);
> } else {
> config.daemonize = D_BACKGROUND;
> set_aumessage_mode(MSG_SYSLOG, DBG_NO);
> (void) umask( umask( 077 ) | 022 );
> }
>
> It seems I cannot get messages logged with LOG_DEBUG without running in
> foreground mode (in which case the bug does not appear to be triggered) or
> recompiling auditd.
Generally you do not need the debug messages because if auditd has any real
problems it writes to syslog. The debug are generally very low level details
like parsing outcome for the config file.
> I have included the output of auditd -f and also my auditd.conf.
This output also shows that you have local_events = no. That means that it
will not register with the kernel to receive local events. Normally this is
used when you have auditd in a container and it does not have access to the
kernel's audit interface. It allows auditd to run in a container to be an
aggregating server for other audit daemons. That is probably not what you
intended.
To prevent writing to logs, then you would set write_logs = no. However, the
old version you are running has a bug. You'll need to upgrade to a newer
version of auditd. There have been many bugfixes and improvements since 2.6.7.
Also, if you are doing remove logging, you probably want to be using the
enriched data format. This is achieved by setting log_format = ENRICHED. This
collects local information and adds it to the event so remote systems can
make sense of the events where uid/gid changes between machines.
Hope this helps...
-Steve
prev parent reply other threads:[~2018-12-03 15:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-03 7:13 Disabling local logging with write_logs = no Kay Mccormick
2018-12-03 15:17 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1935503.sbb2Ay52bZ@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).