Re: configuration for busy docker host

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday, August 22, 2018 10:49:20 AM EDT Frederik Bosch wrote:
> Hi Steve,
> 
> That was really helpful, again. My aureport looks much healthier now! I
> have one remaing question. When running auditctl -s I still have a lost
> value of 51 after boot.
> 
> enabled 2
> failure 1
> pid 779
> rate_limit 0
> backlog_limit 8192
> lost 51
> backlog 0
> backlog_wait_time 0
> loginuid_immutable 0 unlocked
> 
> What could be the cause?

By default, the audit subsystem reserves 64 slots for audit events. Systemd 
can easily overrun this before auditd starts. So, you need to boot with the 
following kernel boot options:

audit=1 audit_backlog_limit=8192

Does you have this for boot options?


> My aureport now looks like this.
> 
> sudo aureport --start boot --key --summary
> 
> Key Summary Report
> ===========================
> total  key
> ===========================
> 289  auditlog
> 120  specialfiles
> 73  docker
> 69  privileged
> 29  access
> 19  perm_mod
> 17  delete
> 12  actions
> 11  audit_rules_networkconfig_modification
> 10  cron
> 10  modules
> 10  login
> 6  apparmor_tools
> 6  audit_time_rules
> 5  systemd_tools
> 5  audit_rules_usergroup_modification
> 5  pam
> 4  power
> 3  audittools
> 3  group_modification
> 3  user_modification
> 3  init
> 3  modprobe
> 3  sshd
> 2  apparmor
> 2  systemd
> 2  export
> 2  auditconfig
> 2  mail
> 2  admin_user_home
> 1  audispconfig
> 1  MAC-policy
> 1  passwd_modification
> 1  logins
> 1  libpath
> 1  localtime
> 1  audit_time_ruleszone
> 1  sysctl
> 
> If I understand things correctly with failure set to 1, I should find a
> message in dmesg due to printk, but I have not found any that is
> related.

There may be a chance that these were lost before auditd rules were loaded.

> My auditd.conf is as follows.
> 
> local_events = yes
> write_logs = yes
> log_file = /var/log/audit/audit.log
> log_group = adm
> log_format = RAW
> flush = INCREMENTAL_ASYNC
> freq = 50
> max_log_file = 8
> num_logs = 5

Btw, these two settings only allow 40Mb of logs. Typically if you really need 
auditing you need more than this.

> priority_boost = 4
> disp_qos = lossy
> dispatcher = /sbin/audispd
> name_format = NONE
> ##name = mydomain
> max_log_file_action = keep_logs
> space_left = 75
> space_left_action = email
> verify_email = yes
> action_mail_acct = root
> admin_space_left = 50
> admin_space_left_action = halt
> disk_full_action = SUSPEND
> disk_error_action = SUSPEND
> use_libwrap = yes
> ##tcp_listen_port = 60
> tcp_listen_queue = 5
> tcp_max_per_addr = 1
> ##tcp_client_ports = 1024-65535
> tcp_client_max_idle = 0
> enable_krb5 = no
> krb5_principal = auditd
> ##krb5_key_file = /etc/audit/audit.key
> distribute_network = no
> 
> Or is it something I should not be worried about?

Maybe. Let's see what the boot options are. Also, what kernel version are you 
using?

-Steve