-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"type":1305 AUDIT_CONFIG_CHANGE log noise #82
Comments
It is caused by this bit of code meant to keep ownership of the netlink socket in the event someone or something else tries to take it https://github.com/slackhq/go-audit/blob/master/client.go#L138 You can filter it out via the config https://github.com/slackhq/go-audit/blob/master/examples/go-audit/go-audit.yaml#L37
|
Thanks, I've enabled the filter, but I'm wondering if there is an unnecessary performance impact by having this safety mechanism trigger every few seconds? I gather normal auditd manages without it. I'm also wondering if the filter would prevent logging about actual changes to audit configuration via the audictl command, so perhaps an option to disable this 'keep ownership' code would be helpful? If you feel it's important to retain then adding the filter to go-audit.yaml.example would at least help users understand what's going on. |
Description
When I run go-audit it logs AUDIT_CONFIG_CHANGE messages every few seconds. Any idea why this is happening? I don't see this when running ordinary auditd.
Reproducible in:
go-audit
version: dev+20200629015509I also tried with version 1.00 and got the same result.
OS version(s): Ubuntu 20.04 LTS
kernel 5.4.0-39-generic
go v1.13.8
Steps to reproduce:
example.yaml is an umodified copy of go-audit.yaml.example
Expected result:
No AUDIT_CONFIG_CHANGE messages.
A similar volume of messages as when I run auditd with the same rules.
Actual result:
{"sequence":904,"timestamp":"1593402441.566","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":905,"timestamp":"1593402446.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":906,"timestamp":"1593402451.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
The text was updated successfully, but these errors were encountered: