configuration for busy docker host

[Frederik Bosch]

In my initial message I did not include the output of auditctl -s. In 
the meanwhile I have disabled failure (0) and increased the backlog 
limited (heavily). As you can see I still have a lost of 52.

While browsing the archives of the list I found MSG00127, 
https://www.redhat.com/archives/linux-audit/2017-September/msg00127.html. 
Maybe there are similarities with that problem. That user also reported 
a high number of last messages.

enabled 2
failure 0
pid 760
rate_limit 0
backlog_limit 524288
lost 52
backlog 0
backlog_wait_time 0
loginuid_immutable 0 unlocked

Hopefully someone is able to help.



On 20-08-18 11:56, Frederik Bosch wrote:
> Hello Audit team,
>
> As I have not found a location anywhere else on the web, I am sending 
> my question to this list. I have an Ubuntu 18.04 machine with auditd 
> and it acts as a Docker Host machine. I have hardened the system via 
> this package: https://github.com/konstruktoid/hardening which installs 
> auditd with the configuration to be found here: 
> https://github.com/konstruktoid/hardening/blob/master/misc/audit.rules.
>
> The problems I have are related to the directives -f and -b. The 
> hardening package uses -b 8192 and -f 2. That results in a kernel 
> panic very quickly because of audit backlog limit exceeded, and that 
> causes a reboot of the system. Now I wonder what a good configuration 
> would be. I started reading on the subject and read that -f 2 is 
> probably the best for security reasons. However, I do not want to have 
> a system that panics very quickly and reboots.
>
> Should I simply increase the backlog to much higher numbers? Or should 
> I change -f to not cause a kernel panic? Or am I missing something and 
> should I change some other configuration? Thanks for your help.
>
> Kind regards,
> Frederik Bosch
>
> -- 
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit