Comments (3)
nbrownus
commented on July 26, 2024
Can you share the rules you are running with?
from go-audit.
kamushadenes
commented on July 26, 2024
Hello, I managed to fix the problem by adding -F auid!=1 to all rules and doubling the buffer size:
# Configure socket buffers, leave unset to use the system defaults
# Values will be doubled by the kernel
# It is recommended you do not set any of these values unless you really need to
socket_buffer:
# Default is net.core.rmem_default (/proc/sys/net/core/rmem_default)
# Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max)
receive: 32768
events:
# Minimum event type to capture, default 1300
min: 1300
# Maximum event type to capture, default 1399
max: 1399
# Configure message sequence tracking
message_tracking:
# Track messages and identify if we missed any, default true
enabled: true
# Log out of orderness, these messages typically signify an overloading system, default false
log_out_of_order: false
# Maximum out of orderness before a missed sequence is presumed dropped, default 500
max_out_of_order: 500
# Configure where to output audit events
# Only 1 output can be active at a given time
output:
# Writes to stdout
# All program status logging will be moved to stderr
stdout:
enabled: false
# Total number of attempts to write a line before considering giving up
# If a write fails go-audit will sleep for 1 second before retrying
# Default is 3
attempts: 2
# Writes logs to syslog
syslog:
enabled: true
attempts: 5
# Configure the type of socket this should be, default is unixgram
# This maps to `network` in golangs net.Dial: https://golang.org/pkg/net/#Dial
network: unixgram
# Set the remote address to connect to, this can be a path or an ip address
# This maps to `address` in golangs net.Dial: https://golang.org/pkg/net/#Dial
address: /dev/log
# Sets the facility and severity for all events. See the table below for help
# The default is 132 which maps to local0 | warn
priority: 129 # local0 | emerg
# Typically the name of the program generating the message. The PID is of the process is appended for you: [1233]
# Default value is "go-audit"
tag: "go-audit"
# Configure logging, only stdout and stderr are used.
log:
# Gives you a bit of control over log line prefixes. Default is 0 - nothing.
# To get the `filename:lineno` you would set this to 16
#
# Ldate = 1 // the date in the local time zone: 2009/01/23
# Ltime = 2 // the time in the local time zone: 01:23:23
# Lmicroseconds = 4 // microsecond resolution: 01:23:23.123123. assumes Ltime.
# Llongfile = 8 // full file name and line number: /a/b/c/d.go:23
# Lshortfile = 16 // final file name element and line number: d.go:23. overrides Llongfile
# LUTC = 32 // if Ldate or Ltime is set, use UTC rather than the local time zone
#
# See also: https://golang.org/pkg/log/#pkg-constants
flags: 0
rules:
- -D
- -a exclude,always -F msgtype=CWD
- -a always,exit -S all -F dir=/var/log/audit -F perm=wra -k audit-logs
- -a exit,always -F arch=b64 -S execve -F auid!=-1 -k user_commands
- -a exit,always -F arch=b32 -S execve -F auid!=-1 -k user_commands
- -w /var/log/auth.log -p wra -k logs -F auid!=-1
- -w /var/log/syslog -p wra -k logs -F auid!=-1
- -a always,exit -F arch=b64 -S all -F exit=-13 -k access -F auid!=-1
- -a always,exit -S all -F dir=/etc -F perm=wa -k system -F auid!=-1
- -a always,exit -S all -F dir=/boot -F perm=wa -k system -F auid!=-1
- -a always,exit -S all -F dir=/usr/lib -F perm=wa -k system -F auid!=-1
- -a always,exit -S all -F dir=/bin -F perm=wa -k system -F auid!=-1
- -a always,exit -S all -F dir=/lib -F perm=wa -k system -F auid!=-1
- -a always,exit -S all -F dir=/lib64 -F perm=wa -k system -F auid!=-1
- -a always,exit -S all -F dir=/sbin -F perm=wa -k system -F auid!=-1
- -a always,exit -S all -F dir=/usr/bin -F perm=wa -k system -F auid!=-1
- -a always,exit -S all -F dir=/usr/sbin -F perm=wa -k system -F auid!=-1
- -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -F auid!=-1
- -a always,exit -F arch=b64 -S clock_settime -k time-change -F auid!=-1
- -w /etc/localtime -p wa -k time-change -F auid!=-1
- -w /etc/group -p wa -k identity -F auid!=-1
- -w /etc/passwd -p wa -k identity -F auid!=-1
- -w /etc/gshadow -p wa -k identity -F auid!=-1
- -w /etc/shadow -p wa -k identity -F auid!=-1
- -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -F auid!=-1
- -w /etc/issue -p wa -k system-locale -F auid!=-1
- -w /etc/issue.net -p wa -k system-locale -F auid!=-1
- -w /etc/hosts -p wa -k system-locale -F auid!=-1
- -w /var/log/faillog -p wa -k logins -F auid!=-1
- -w /var/log/lastlog -p wa -k logins -F auid!=-1
- -w /var/log/tallylog -p wa -k logins -F auid!=-1
- -w /var/run/utmp -p wa -k session -F auid!=-1
- -w /var/log/btmp -p wa -k session -F auid!=-1
- -w /var/log/wtmp -p wa -k session -F auid!=-1
- -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod -F auid!=-1
- -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -k perm_mod -F auid!=-1
- -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovex/attr -S fremovexattr -k perm_mod -F auid!=-1
- -a always,exit -F path=/usr/bin/sg -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/chsh -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/mount.cifs -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/umount -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/write -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/sudo -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/wall -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/crontab -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/expiry -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/mount -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/ksu -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/chfn -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/chage -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/suexec -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/newgrp -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/bin/su -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/lib/utempter/utempter -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/lib/mail-privsep -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -k privileged -F auid!=-1
- -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -k privileged -F auid!=-1
- -a always,exit -F arch=b64 -S mount -k export -F auid!=-1
- -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -k delete -F auid!=-1
- -w /etc/sudoers -p wa -k actions -F auid!=-1
- -w /sbin/insmod -p x -k modules -F auid!=-1
- -w /sbin/rmmod -p x -k modules -F auid!=-1
- -w /sbin/modprobe -p x -k modules -F auid!=-1
- -a always,exit -F arch=b64 -S init_module -S delete_module -k modules -F auid!=-1
- -a always,exit -F arch=b32 -S open -S openat -F exit=-EACCES -k access
- -a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k access
- -a always,exit -F arch=b32 -S open -S openat -F exit=-EPERM -k access
- -a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access
- -a exit,always -S listen -k listen
- -e 1
# If kaudit filtering isn't powerful enough you can use the following filter mechanism
filters:
# Each filter consists of exactly 3 parts
- syscall: 49 # The syscall id of the message group (a single log line from go-audit), to test against the regex
message_type: 1130 # The message type identifier containing the data to test against the regex
regex: auid=4294967295 # The regex to test against the message specific message types data
from go-audit.
nbrownus
commented on July 26, 2024
Can you get the same problem to occur while running vanilla auditd and without the -F auid!=-1? I'll try to reproduce the kernel oops tomorrow with this ruleset as well.
from go-audit.
Related Issues (20)
- How to filter to command run in local0 to 7
- Reverse Function for Filters
- Backend: go-audit events are not put into the streamstash index HOT 2
- Cannot build goaudit, audit.go:226: undefined: user.LookupGroup HOT 1
- Pre-compiled version? HOT 3
- Replacing auditd with go-audit HOT 1
- wrong app name in syslogs HOT 1
- extras.go does not support disabled container auditing HOT 3
- LXD support
- Migrate away from govendor to go modules
- Migrate from "syscall" to "golang.org/x/sys/unix"
- Consider using code generation (ex: easyjson) for JSON models
- no tags/releases HOT 3
- go-audit relies on github.com/capsule8/capsule8, which was deleted or made private HOT 1
- "type":1305 AUDIT_CONFIG_CHANGE log noise HOT 2
- Do we need to implement logrotate for the go-audit.log file?
- Publish debian packages
- Process dies and go-audit stops logging HOT 2
- Enhance request for ECS compatible go-audit output
- When go-audit and linux auditd are started at the same time, go-audit cannot obtain any data. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-audit.