Multiple af_unix plugins on audit 2.8.5 cause duplicated output

[tperka-catalogicsoftware]

I've tried creating my own plugin of type af_unix on Ubuntu 20.04 and RHEL 7 system (audit 2.8.5). Everything looked fine, I could connect to socket on given file and then listen to events. After that I've installed Wazuh, which creates its own af_unix plugin in some other location.

It causes events to be duplicated in both sockets, as you can see in this output:

node=tperka-Latitude-5401 type=SYSCALL msg=audit(1729852173.202:4148): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fb55273b600 a2=341 a3=1b6 items=2 ppid=5310 pid=11716 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="zsh" exe="/usr/bin/zsh" subj=unconfined key=<null>
node=tperka-Latitude-5401 type=SYSCALL msg=audit(1729852173.202:4148): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fb55273b600 a2=341 a3=1b6 items=2 ppid=5310 pid=11716 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4294967295 comm="zsh" exe="/usr/bin/zsh" subj=unconfined key=<null>
node=tperka-Latitude-5401 type=CWD msg=audit(1729852173.202:4148): cwd="/home/tperka/audit_test"
node=tperka-Latitude-5401 type=CWD msg=audit(1729852173.202:4148): cwd="/home/tperka/audit_test"
node=tperka-Latitude-5401 type=PATH msg=audit(1729852173.202:4148): item=0 name="/home/tperka/audit_test" inode=7586118 dev=103:02 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=tperka-Latitude-5401 type=PATH msg=audit(1729852173.202:4148): item=0 name="/home/tperka/audit_test" inode=7586118 dev=103:02 mode=040777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=tperka-Latitude-5401 type=PATH msg=audit(1729852173.202:4148): item=1 name="B" inode=7478893 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=tperka-Latitude-5401 type=PATH msg=audit(1729852173.202:4148): item=1 name="B" inode=7478893 dev=103:02 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=tperka-Latitude-5401 type=PROCTITLE msg=audit(1729852173.202:4148): proctitle="zsh"
node=tperka-Latitude-5401 type=PROCTITLE msg=audit(1729852173.202:4148): proctitle="zsh"
node=tperka-Latitude-5401 type=EOE msg=audit(1729852173.202:4148): 
node=tperka-Latitude-5401 type=EOE msg=audit(1729852173.202:4148): 

Of course when I create third plugin (e.g. activate default example af_unix plugin) then there are three copies of each record in every socket. This issue does not occur on Alma Linux 9 system (audit 3.1.2).

How can I deal with such behavior? Is it expected? Is there any workaround?

[Cropi]

I would say that there are multiple af_unix related .config files installed within the plugin directory. Make sure that there is just one active.

This looks like a packaging problem, so I think we can close this.

[tperka-catalogicsoftware]

But why should there be only one .config file inside plugin directory? Why can't I have multiple af_unix plugins? When there are two independent apps that utilize audit af_unix socket it's hard to enforce that they should use the same one as they both deploy their own configuration for plugin.

Why is it possible in audit >= 3.0 then? Was there some bug fixed? Can't see anything related in changelog