Systemd Journald and audit logging causing journal issues

[Steve Grubb]

On Wednesday, October 18, 2017 11:14:31 AM EDT Brad Zynda wrote:
> Here is an output from the server with PATH audit type re-allowed
> (everything back to normal):
> 
> Key Summary Report
> ===========================
> total  key
> ===========================
> 6019  perm_mod
> 3878  delete
> 964  access
> 96  privileged
> 57  time-change
> 51  session
> 41  modules
> 20  logins
> 6  system-locale
> 5  identity
> 2  mounts
> 2  scope
> 2  actions
> 1  MAC-policy
> 
> Now this is probably not a peak result but I have come across 2 questions..
> 
> 1. I wanted to cron this and email results but get, verified path sbin:
> 
> Key Summary Report
> ===========================
> total  key
> ===========================
> <no events of interest were found>

This is a well known problem. From aureport man page:

       --input-logs
              Use  the  log file location from auditd.conf as input for analy‐
              sis. This is needed if you are using aureport from a cron job.

ausearch/report can be piped to by stdin. This takes priority over the logs. 
Cron uses pipes for all 3 descriptors. Therefore you have to tell them to 
ignore what they are seeing and just use the logs.

> 2. If it ends up being perm_mod as the high count what is the next step
> to identify the rule in question?

grep perm_mod /etc/audit/audit.rules

delete also looks excessive.

-Steve