Discussion:
Disabling local logging with write_logs = no
Kay Mccormick
2018-12-03 07:13:43 UTC
Permalink
I am trying to log only to a remote machine so I have set:

write_logs = no

in my auditd.conf. Unfortunately, when I restart auditd it does not appear
to respect my configuration choice.

When I run it with 'auditd -f' to keep it in the foreground, it does not
write the file and i see :

write_logs_parser called with: no
in the output.

Looking at the source, I see:

if (opt_foreground) {
config.daemonize = D_FOREGROUND;
set_aumessage_mode(MSG_STDERR, DBG_YES);
} else {
config.daemonize = D_BACKGROUND;
set_aumessage_mode(MSG_SYSLOG, DBG_NO);
(void) umask( umask( 077 ) | 022 );
}

It seems I cannot get messages logged with LOG_DEBUG without running in
foreground mode (in which case the bug does not appear to be triggered) or
recompiling auditd.

I have included the output of auditd -f and also my auditd.conf.
Steve Grubb
2018-12-03 15:17:59 UTC
Permalink
Post by Kay Mccormick
write_logs = no
in my auditd.conf. Unfortunately, when I restart auditd it does not appear
to respect my configuration choice.
Accoring to your output, you are running auditd-2.6.7. It has this known bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1382397
Post by Kay Mccormick
When I run it with 'auditd -f' to keep it in the foreground, it does not
write_logs_parser called with: no
in the output.
if (opt_foreground) {
config.daemonize = D_FOREGROUND;
set_aumessage_mode(MSG_STDERR, DBG_YES);
} else {
config.daemonize = D_BACKGROUND;
set_aumessage_mode(MSG_SYSLOG, DBG_NO);
(void) umask( umask( 077 ) | 022 );
}
It seems I cannot get messages logged with LOG_DEBUG without running in
foreground mode (in which case the bug does not appear to be triggered) or
recompiling auditd.
Generally you do not need the debug messages because if auditd has any real
problems it writes to syslog. The debug are generally very low level details
like parsing outcome for the config file.
Post by Kay Mccormick
I have included the output of auditd -f and also my auditd.conf.
This output also shows that you have local_events = no. That means that it
will not register with the kernel to receive local events. Normally this is
used when you have auditd in a container and it does not have access to the
kernel's audit interface. It allows auditd to run in a container to be an
aggregating server for other audit daemons. That is probably not what you
intended.

To prevent writing to logs, then you would set write_logs = no. However, the
old version you are running has a bug. You'll need to upgrade to a newer
version of auditd. There have been many bugfixes and improvements since 2.6.7.

Also, if you are doing remove logging, you probably want to be using the
enriched data format. This is achieved by setting log_format = ENRICHED. This
collects local information and adds it to the event so remote systems can
make sense of the events where uid/gid changes between machines.

Hope this helps...

-Steve

Continue reading on narkive:
Loading...