Failure flag "0" doesn't work
Burn Alting
burn at swtf.dyndns.org
Thu Aug 20 22:15:41 UTC 2015
Alex,
This is a little outside my experience.
One assumes the audit_failure variable has been set in the kernel
(kernel/audit.c). Perhaps you can test this.
Given you can get a copy of the kernel source you are running, perhaps
trace through what's happening. Using the messages
before/during/directly after the death of auditd, and what's routing to
dmesg, perhaps you can reverse engineer what is happening.
Perhaps someone else on the list can explain why, given -f is set to 0,
and the kernel has no user space destination for audit, it still prints
(via printk()?)
Regards
On Thu, 2015-08-20 at 13:17 +0300, Alex Beljanski wrote:
> We have custom audit-dispatcher for process events. On some servers
> when auditd fails, all audit messages writes to kernel.
> We don't want to see all this messages in dmesg and set failure flag
> to "0". This doesn't help.
>
>
> # cat /etc/audit/auditd.conf
>
> log_file = /var/log/audit/audit.log
> log_format = NOLOG
> log_group = root
> priority_boost = 4
> flush = none
> num_logs = 1
> disp_qos = lossy
> dispatcher = /sbin/audit-dispatcher
> name_format = none
> max_log_file = 1
> max_log_file_action = keep_logs
> space_left = 75
> space_left_action = ignore
> admin_space_left = 50
> admin_space_left_action = ignore
> disk_full_action = ignore
> disk_error_action = ignore
> enable_krb5 = no
>
> cat /etc/audit/rules.d/audit.rules
>
> -D
>
> -b 8192
>
> -f 0
> -e 1
>
> -a exit,always -F arch=b32 -S 11 -k exec32
> -a exit,always -F arch=b64 -S 59 -k exec64
>
>
>
>
> 2015-08-20 12:39 GMT+03:00 Burn Alting <burn at swtf.dyndns.org>:
> Alex,
>
> Can you provide a little more detail?
>
> Perhaps your /etc/audit/auditd.conf, /etc/audit/rules.d/*,
> your test
> case, the expected outcome and the outcome you actually get.
>
> Regards
>
> On Thu, 2015-08-20 at 11:09 +0300, Alex Beljanski wrote:
> > Hi!
> >
> >
> > We have problem in CentOS 7 with auditd.
> >
> > For our servers we set failure flag 0, but kernel write
> messages and
> > we see them in dmesg.
> >
> > uname -a
> > Linux 3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6 01:06:18
> UTC 2015
> > x86_64 x86_64 x86_64 GNU/Linux
> >
> > # rpm -qa | grep audit
> > audit-2.4.1-5.el7.x86_64
> >
> >
> > Why this doesn't work?
> >
> >
> >
> >
> >
>
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
More information about the Linux-audit
mailing list