Cannot disable kernel's audit system via auditctl
Steve Grubb
sgrubb at redhat.com
Tue Jul 25 17:05:51 UTC 2023
On Monday, July 24, 2023 5:06:02 PM EDT Samuel Bahr wrote:
> `auditctl -D` does not make it go away (outputs `No rules`). auditd isn't
> running at all and this behavior is happening purely from the kernel. These
> systems were never set to enabled 2 (locked).
>
> I went ahead and filed a Github issue for this thread:
> https://github.com/linux-audit/audit-kernel/issues/146
>
> The maintainer there suggested it's too difficult to debug due to eBPF
> programs + AWS's modified kernel.
I think there is data that could help decide where the problem might be. On
one of the systems that is still logging, try running an event type report:
aureport --start yesterday --event --summary -i
This should identify what kind of event is being emitted. Based on that, it
might point to where the problem is.
> I've resigned to asking Red Canary to support eBPF mode with `audit=0`
> kernel parameter in their Linux EDR. Let me know if you have any other
> ideas.
I'd say collecting summary information about what kind of events are being
logged would be a good start.
-Steve
More information about the Linux-audit
mailing list