Hi Steve, `auditctl -D` does not make it go away (outputs `No rules`). auditd isn't running at all and this behavior is happening purely from the kernel. These systems were never set to enabled 2 (locked).
I went ahead and filed a Github issue for this thread: https://github.com/linux-audit/audit-kernel/issues/146 The maintainer there suggested it's too difficult to debug due to eBPF programs + AWS's modified kernel. I've resigned to asking Red Canary to support eBPF mode with `audit=0` kernel parameter in their Linux EDR. Let me know if you have any other ideas. Regards, Samuel Bahr Pinterest Sr. Site Reliability Engineer On Sun, Jul 23, 2023 at 7:17 PM Steve Grubb <sgr...@redhat.com> wrote: > On Thursday, June 29, 2023 6:34:03 PM EDT Samuel Bahr wrote: > > Hi linux-audit, > > > > I'm running a fleet of Linux hosts with Red Canary Linux EDR (Endpoint > > Detection and Response) which uses eBPF for gathering telemetry in > service > > ` cfsvcd.service`. In an older configuration, it gathered data from the > > kernel's audit system and everything was fine. However, when we switched > > cfsvcd to gathering data from eBPF instead, we noticed that the kernel > > ring buffer was flooded with audit messages. This is because > > cfsvcd.service now stops auditd.service, but leaves the kernel audit > > system enabled. > > > > I've mitigated this issue by manually running `# auditctl -e 0` on our > > hosts (via Puppet). However, I'm running into a strange issue where > _some_ > > hosts (~0.5%) are still logging all audit events to the kernel ring > buffer > > even after I have disabled the audit system via `# auditctl -e 0`. A `# > > auditctl -s` run shows `enabled 0`, yet audit logs continue to flood the > > kernel ring buffer. > > > > I'm running Linux kernel 5.4.0-1063-aws on Ubuntu 18.04 with auditctl > > v2.8.2. `systemd-journald-audit.socket` is masked & inactive, ` > > auditd.service` is disabled & inactive. > > > > I cannot entirely disable the audit system via a kernel parameter because > > Red Canary Linux EDR fails to start cfsvcd.service as it fails to run > some > > auditctl command due to no audit support in the kernel: > > > > Jun 28 20:41:04 systemd[1]: Started Canary Forwarder Service. > > > > > Jun 28 20:41:04 cfsvcd[105781]: Found config file at path > > > '"/opt/redcanary/config.json"', continuing execution... > > > Jun 28 20:41:12 cfsvcd[105781]: component: Sentry > > > Jun 28 20:41:12 cfsvcd[105781]: Jun 28 20:41:12.055 INFO Initializing > > > Sentry Config { version: "1.4.17.release.[...]", https_proxy: None, > > > extra_tags: [("telemetry.source", "eBPF")], logging_enabled: true, > > > metrics_enabled: true, [...]} > > > Jun 28 20:41:12 cfsvcd[105781]: Failed to setup or configure host > system: > > > Linux Audit watcher failure: Netlink Error: IO Error: Protocol not > > > supported (os error 93) > > > Jun 28 20:41:12 cfsvcd[105781]: Received stop. Exiting > > > unix::wait_for_signal. Signal: 0, done.is_signaled(): true > > > Jun 28 20:41:12 cfsvcd[105781]: Joining async_agent_thread > > > Jun 28 20:41:13 cfsvcd[105781]: Attempting to stop subscriber (Ebpf). > > > Jun 28 20:41:13 cfsvcd[105781]: Shutting down due to termination signal > > > [...] > > > Jun 28 20:41:15 cfsvcd[105781]: Subscriber stopped. > > > Jun 28 20:41:15 auditctl[106733]: Error - audit support not in kernel > > > Jun 28 20:41:15 auditctl[106733]: Cannot open netlink audit socket > > > Jun 28 20:41:15 systemd[1]: cfsvcd.service: Service hold-off time over, > > > scheduling restart. > > > Jun 28 20:41:15 systemd[1]: cfsvcd.service: Scheduled restart job, > > > restart > > > counter is at 301. > > > Jun 28 20:41:15 systemd[1]: Stopped Canary Forwarder Service. > > > > Here's the unit file for cfsvcd.service: > > > [Unit] > > > Description=Canary Forwarder Service > > > > > > DefaultDependencies=no > > > After=local-fs.target systemd-tmpfiles-setup.service auditd.service > > > Before=sysinit.target shutdown.target > > > # Replace the auditd service if it is running > > > Conflicts=auditd.service shutdown.target > > > > > > [Service] > > > WorkingDirectory=/opt/redcanary > > > ExecStart=/opt/redcanary/cfsvcd > > > ExecStopPost=-/sbin/auditctl -D > > > Restart=always > > > TimeoutSec=15 > > > > > > [Install] > > > WantedBy=multi-user.target > > > > Is this a known issue? > > Not really. But this is a new capability. If you run auditctl -D, does it > go > away? Have any of the systems been setup with auditctl -e 2? This makes > the > configuration immutable. > > -Steve > > > Is there a workaround to stop the logging to the > > kernel ring buffer? Is there any more information I can provide to help > > debug? > > > >
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
