Hi Steve,
That was the trick, to add audit_backlog_limit=8192. Thanks a lot for
all your answers, things are much clearer for me now!
Regards,
Frederik
On 23-08-18 16:18, Steve Grubb wrote:
On Wednesday, August 22, 2018 10:49:20 AM EDT Frederik Bosch wrote:
Hi Steve,
That was really helpful, again. My aureport looks much healthier now! I
have one remaing question. When running auditctl -s I still have a lost
value of 51 after boot.
enabled 2
failure 1
pid 779
rate_limit 0
backlog_limit 8192
lost 51
backlog 0
backlog_wait_time 0
loginuid_immutable 0 unlocked
What could be the cause?
By default, the audit subsystem reserves 64 slots for audit events. Systemd
can easily overrun this before auditd starts. So, you need to boot with the
following kernel boot options:
audit=1 audit_backlog_limit=8192
Does you have this for boot options?
My aureport now looks like this.
sudo aureport --start boot --key --summary
Key Summary Report
===========================
total key
===========================
289 auditlog
120 specialfiles
73 docker
69 privileged
29 access
19 perm_mod
17 delete
12 actions
11 audit_rules_networkconfig_modification
10 cron
10 modules
10 login
6 apparmor_tools
6 audit_time_rules
5 systemd_tools
5 audit_rules_usergroup_modification
5 pam
4 power
3 audittools
3 group_modification
3 user_modification
3 init
3 modprobe
3 sshd
2 apparmor
2 systemd
2 export
2 auditconfig
2 mail
2 admin_user_home
1 audispconfig
1 MAC-policy
1 passwd_modification
1 logins
1 libpath
1 localtime
1 audit_time_ruleszone
1 sysctl
If I understand things correctly with failure set to 1, I should find a
message in dmesg due to printk, but I have not found any that is
related.
There may be a chance that these were lost before auditd rules were loaded.
My auditd.conf is as follows.
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
Btw, these two settings only allow 40Mb of logs. Typically if you really need
auditing you need more than this.
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = keep_logs
space_left = 75
space_left_action = email
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = halt
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
Or is it something I should not be worried about?
Maybe. Let's see what the boot options are. Also, what kernel version are you
using?
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
