I'm having an issue where auditd seems to be logging the same message twice, see below for example:
type=EXECVE msg=audit(1495742109.857:90234552): argc=1 a0="/bin/bash" type=EXECVE msg=audit(1495742109.857:90234552): argc=1 a0="/bin/bash" and here is the relevant configuration:
log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 4 flush = incremental freq = 20 num_logs = 3 disp_qos = lossy dispatcher = /sbin/audispd name_format = none name = lga-tag06 max_log_file = 1024 max_log_file_action = rotate space_left = 75 space_left_action = syslog action_mail_acct = root admin_space_left = 50 admin_space_left_action = suspend disk_full_action = suspend disk_error_action = suspend tcp_listen_queue = 5 tcp_max_per_addr = 1 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd and the relevant rules:
# Default Rule - Delete ALL -D enter code here # Set Buffer size - increase for Busy Systems -b 8192 enter code here # Puppet Managed Custom rules begin here: -b 320 -D -a exclude,never -F msgtype=PATH -a exclude,never -F msgtype=BPRM_FCAPS -a exclude,never -F msgtype=CRED_DISP -a exit,always -F arch=b32 -F euid>=0 -S execve -a exit,always -F arch=b64 -F euid>=0 -S execve Curious if anyone has seen this before or has any suggestions?
1 Answers
Answers 1
I can't say for sure, but until you add the information I requested on the comment to your question, I will go with the following:
Note / Update: This extends to the bounty. Although the comment regarding the extra lines doesn't apply, the remaining questions about distribution and versions do.
You might be hitting the bug reported in red hat's tracker and in systemd github, which state that there is an issue between auditd and systemd's journald.
The proposed solution there is to disable the audit support from the journal:
systemctl mask systemd-journald-audit.socket Before trying it, please read the linked issues above and take all the necessary considerations.
0 comments:
Post a Comment