configuration for busy docker host
Frederik Bosch
f.bosch at genkgo.nl
Thu Aug 23 16:01:59 UTC 2018
Hi Steve,
That was the trick, to add audit_backlog_limit=8192. Thanks a lot for
all your answers, things are much clearer for me now!
Regards,
Frederik
On 23-08-18 16:18, Steve Grubb wrote:
> On Wednesday, August 22, 2018 10:49:20 AM EDT Frederik Bosch wrote:
>> Hi Steve,
>>
>> That was really helpful, again. My aureport looks much healthier now! I
>> have one remaing question. When running auditctl -s I still have a lost
>> value of 51 after boot.
>>
>> enabled 2
>> failure 1
>> pid 779
>> rate_limit 0
>> backlog_limit 8192
>> lost 51
>> backlog 0
>> backlog_wait_time 0
>> loginuid_immutable 0 unlocked
>>
>> What could be the cause?
> By default, the audit subsystem reserves 64 slots for audit events. Systemd
> can easily overrun this before auditd starts. So, you need to boot with the
> following kernel boot options:
>
> audit=1 audit_backlog_limit=8192
>
> Does you have this for boot options?
>
>
>> My aureport now looks like this.
>>
>> sudo aureport --start boot --key --summary
>>
>> Key Summary Report
>> ===========================
>> total key
>> ===========================
>> 289 auditlog
>> 120 specialfiles
>> 73 docker
>> 69 privileged
>> 29 access
>> 19 perm_mod
>> 17 delete
>> 12 actions
>> 11 audit_rules_networkconfig_modification
>> 10 cron
>> 10 modules
>> 10 login
>> 6 apparmor_tools
>> 6 audit_time_rules
>> 5 systemd_tools
>> 5 audit_rules_usergroup_modification
>> 5 pam
>> 4 power
>> 3 audittools
>> 3 group_modification
>> 3 user_modification
>> 3 init
>> 3 modprobe
>> 3 sshd
>> 2 apparmor
>> 2 systemd
>> 2 export
>> 2 auditconfig
>> 2 mail
>> 2 admin_user_home
>> 1 audispconfig
>> 1 MAC-policy
>> 1 passwd_modification
>> 1 logins
>> 1 libpath
>> 1 localtime
>> 1 audit_time_ruleszone
>> 1 sysctl
>>
>> If I understand things correctly with failure set to 1, I should find a
>> message in dmesg due to printk, but I have not found any that is
>> related.
> There may be a chance that these were lost before auditd rules were loaded.
>
>> My auditd.conf is as follows.
>>
>> local_events = yes
>> write_logs = yes
>> log_file = /var/log/audit/audit.log
>> log_group = adm
>> log_format = RAW
>> flush = INCREMENTAL_ASYNC
>> freq = 50
>> max_log_file = 8
>> num_logs = 5
> Btw, these two settings only allow 40Mb of logs. Typically if you really need
> auditing you need more than this.
>
>> priority_boost = 4
>> disp_qos = lossy
>> dispatcher = /sbin/audispd
>> name_format = NONE
>> ##name = mydomain
>> max_log_file_action = keep_logs
>> space_left = 75
>> space_left_action = email
>> verify_email = yes
>> action_mail_acct = root
>> admin_space_left = 50
>> admin_space_left_action = halt
>> disk_full_action = SUSPEND
>> disk_error_action = SUSPEND
>> use_libwrap = yes
>> ##tcp_listen_port = 60
>> tcp_listen_queue = 5
>> tcp_max_per_addr = 1
>> ##tcp_client_ports = 1024-65535
>> tcp_client_max_idle = 0
>> enable_krb5 = no
>> krb5_principal = auditd
>> ##krb5_key_file = /etc/audit/audit.key
>> distribute_network = no
>>
>> Or is it something I should not be worried about?
> Maybe. Let's see what the boot options are. Also, what kernel version are you
> using?
>
> -Steve
>
>
>
More information about the Linux-audit
mailing list