"type":1305 AUDIT_CONFIG_CHANGE log noise #82
Comments
|
It is caused by this bit of code meant to keep ownership of the netlink socket in the event someone or something else tries to take it https://github.com/slackhq/go-audit/blob/master/client.go#L138 You can filter it out via the config https://github.com/slackhq/go-audit/blob/master/examples/go-audit/go-audit.yaml#L37 |
|
Thanks, I've enabled the filter, but I'm wondering if there is an unnecessary performance impact by having this safety mechanism trigger every few seconds? I gather normal auditd manages without it. I'm also wondering if the filter would prevent logging about actual changes to audit configuration via the audictl command, so perhaps an option to disable this 'keep ownership' code would be helpful? If you feel it's important to retain then adding the filter to go-audit.yaml.example would at least help users understand what's going on. |
Description
When I run go-audit it logs AUDIT_CONFIG_CHANGE messages every few seconds. Any idea why this is happening? I don't see this when running ordinary auditd.
Reproducible in:
go-auditversion: dev+20200629015509I also tried with version 1.00 and got the same result.
OS version(s): Ubuntu 20.04 LTS
kernel 5.4.0-39-generic
go v1.13.8
Steps to reproduce:
example.yaml is an umodified copy of go-audit.yaml.example
Expected result:
No AUDIT_CONFIG_CHANGE messages.
A similar volume of messages as when I run auditd with the same rules.
Actual result:
{"sequence":904,"timestamp":"1593402441.566","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":905,"timestamp":"1593402446.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":906,"timestamp":"1593402451.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
The text was updated successfully, but these errors were encountered: