On Monday, July 24, 2023 5:06:02 PM EDT Samuel Bahr wrote: > `auditctl -D` does not make it go away (outputs `No rules`). auditd isn't > running at all and this behavior is happening purely from the kernel. These > systems were never set to enabled 2 (locked). > > I went ahead and filed a Github issue for this thread: > https://github.com/linux-audit/audit-kernel/issues/146 > > The maintainer there suggested it's too difficult to debug due to eBPF > programs + AWS's modified kernel.
I think there is data that could help decide where the problem might be. On one of the systems that is still logging, try running an event type report: aureport --start yesterday --event --summary -i This should identify what kind of event is being emitted. Based on that, it might point to where the problem is. > I've resigned to asking Red Canary to support eBPF mode with `audit=0` > kernel parameter in their Linux EDR. Let me know if you have any other > ideas. I'd say collecting summary information about what kind of events are being logged would be a good start. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
