configuration for busy docker host

Frederik Bosch f.bosch at genkgo.nl
Thu Aug 23 16:01:59 UTC 2018 

Hi Steve,

That was the trick, to add audit_backlog_limit=8192. Thanks a lot for 
all your answers, things are much clearer for me now!

Regards,
Frederik



On 23-08-18 16:18, Steve Grubb wrote:
> On Wednesday, August 22, 2018 10:49:20 AM EDT Frederik Bosch wrote:
>> Hi Steve,
>>
>> That was really helpful, again. My aureport looks much healthier now! I
>> have one remaing question. When running auditctl -s I still have a lost
>> value of 51 after boot.
>>
>> enabled 2
>> failure 1
>> pid 779
>> rate_limit 0
>> backlog_limit 8192
>> lost 51
>> backlog 0
>> backlog_wait_time 0
>> loginuid_immutable 0 unlocked
>>
>> What could be the cause?
> By default, the audit subsystem reserves 64 slots for audit events. Systemd
> can easily overrun this before auditd starts. So, you need to boot with the
> following kernel boot options:
>
> audit=1 audit_backlog_limit=8192
>
> Does you have this for boot options?
>
>
>> My aureport now looks like this.
>>
>> sudo aureport --start boot --key --summary
>>
>> Key Summary Report
>> ===========================
>> total  key
>> ===========================
>> 289  auditlog
>> 120  specialfiles
>> 73  docker
>> 69  privileged
>> 29  access
>> 19  perm_mod
>> 17  delete
>> 12  actions
>> 11  audit_rules_networkconfig_modification
>> 10  cron
>> 10  modules
>> 10  login
>> 6  apparmor_tools
>> 6  audit_time_rules
>> 5  systemd_tools
>> 5  audit_rules_usergroup_modification
>> 5  pam
>> 4  power
>> 3  audittools
>> 3  group_modification
>> 3  user_modification
>> 3  init
>> 3  modprobe
>> 3  sshd
>> 2  apparmor
>> 2  systemd
>> 2  export
>> 2  auditconfig
>> 2  mail
>> 2  admin_user_home
>> 1  audispconfig
>> 1  MAC-policy
>> 1  passwd_modification
>> 1  logins
>> 1  libpath
>> 1  localtime
>> 1  audit_time_ruleszone
>> 1  sysctl
>>
>> If I understand things correctly with failure set to 1, I should find a
>> message in dmesg due to printk, but I have not found any that is
>> related.
> There may be a chance that these were lost before auditd rules were loaded.
>
>> My auditd.conf is as follows.
>>
>> local_events = yes
>> write_logs = yes
>> log_file = /var/log/audit/audit.log
>> log_group = adm
>> log_format = RAW
>> flush = INCREMENTAL_ASYNC
>> freq = 50
>> max_log_file = 8
>> num_logs = 5
> Btw, these two settings only allow 40Mb of logs. Typically if you really need
> auditing you need more than this.
>
>> priority_boost = 4
>> disp_qos = lossy
>> dispatcher = /sbin/audispd
>> name_format = NONE
>> ##name = mydomain
>> max_log_file_action = keep_logs
>> space_left = 75
>> space_left_action = email
>> verify_email = yes
>> action_mail_acct = root
>> admin_space_left = 50
>> admin_space_left_action = halt
>> disk_full_action = SUSPEND
>> disk_error_action = SUSPEND
>> use_libwrap = yes
>> ##tcp_listen_port = 60
>> tcp_listen_queue = 5
>> tcp_max_per_addr = 1
>> ##tcp_client_ports = 1024-65535
>> tcp_client_max_idle = 0
>> enable_krb5 = no
>> krb5_principal = auditd
>> ##krb5_key_file = /etc/audit/audit.key
>> distribute_network = no
>>
>> Or is it something I should not be worried about?
> Maybe. Let's see what the boot options are. Also, what kernel version are you
> using?
>
> -Steve
>
>
>

More information about the Linux-audit mailing list