linux audit events not passed to go-audit












4















We're attempting to use slack's go-audit tool to capture/process linux audit events. More info: https://github.com/slackhq/go-audit



The issue is that the linux audit is correctly picking up events, but these are not being picked up by go-audit, or not correctly output by go-audit.



The example go-audit config file has been modified to have a single rule for capturing information about access to a file /opt/secret.txt



rules:

- -a exit,always -F path=/opt/secret.txt -F perm=wra -k test_changes


The full go-audit config file is here:
https://gist.github.com/tom-chaoscube/fc2f14b448650ea4018620bbbf2c3345



After running go-audit, we can see that this rule has been successfully deployed:



# auditctl -l

-w /opt/secret.txt -p rwa -k test_changes


An attempt to access the file is made, and an audit record can be seen in the audit log file:



$ cat secret.txt

# cat /var/log/audit/audit.log



type=SYSCALL msg=audit(1485357520.702:868): arch=c000003e syscall=2 success=yes exit=3 a0=7ffee46830dc a1=0 a2=1fffffffffff0000 a3=7ffee4681670 items=1 ppid=5199 pid=5469 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=7 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="test_changes"

type=CWD msg=audit(1485357520.702:868):  cwd="/opt"

type=PATH msg=audit(1485357520.702:868): item=0 name="secret.txt" inode=26244598 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:usr_t:s0 objtype=NORMAL


However, when looking at the output from go-audit, no events are recorded. We've tried both with go-audit set to output to stdout, and also to a file.



Running an strace on go-audit, it looks like it's opening up a NETLINK socket, which I assume is the connection to auditd. It can also be seen that some data is received over the socket, in line with periodic entries in the audit.log, however it does not seem like any data is being received specifically when the file access audit entries are written by auditd. (Can't necessarily say this categorically).



socket(PF_NETLINK, SOCK_RAW, 9)         = 4

bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0

setsockopt(4, SOL_SOCKET, SO_RCVBUF, [16384], 4) = 0

getsockopt(4, SOL_SOCKET, SO_RCVBUF, [32768], [4]) = 0

... ...

... ...

write(1, "Started processing eventsn", 26) = 26

recvfrom(4, "L21261253573773773778351351"..., 8970, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 76

futex(0xa0f1d0, FUTEX_WAIT, 0, NULL)    = 0


Any suggestions as to:




  • Why go-audit isn't picking up the events?

  • Further steps that could be taken to investigate if go-audit really is receiving the event information across the socket. (I.e. steps to establish that they are not getting lost on the auditd side)


Edit: I have since tried this locally on Ubunutu 16.10 (as well as the original Centos 7 machine), and have the same results.



Cheers.






linux audit linux-audit







share|improve this question

























  • I suggest you remove Q2 and Q3 and focus on Q1 (Why go-audit isn't picking up the events?) because Q2 is too broad and Q3 is off-topic; this way you risk your post being closed for either reason.

    – countermode
    Jan 25 '17 at 15:43











  • Q2 is more intended as "what additional data might help in answering Q1", and I think that is reasonable. Q3 removed.

    – tomg
    Jan 25 '17 at 15:49
















4















We're attempting to use slack's go-audit tool to capture/process linux audit events. More info: https://github.com/slackhq/go-audit



The issue is that the linux audit is correctly picking up events, but these are not being picked up by go-audit, or not correctly output by go-audit.



The example go-audit config file has been modified to have a single rule for capturing information about access to a file /opt/secret.txt



rules:

- -a exit,always -F path=/opt/secret.txt -F perm=wra -k test_changes


The full go-audit config file is here:
https://gist.github.com/tom-chaoscube/fc2f14b448650ea4018620bbbf2c3345



After running go-audit, we can see that this rule has been successfully deployed:



# auditctl -l

-w /opt/secret.txt -p rwa -k test_changes


An attempt to access the file is made, and an audit record can be seen in the audit log file:



$ cat secret.txt

# cat /var/log/audit/audit.log



type=SYSCALL msg=audit(1485357520.702:868): arch=c000003e syscall=2 success=yes exit=3 a0=7ffee46830dc a1=0 a2=1fffffffffff0000 a3=7ffee4681670 items=1 ppid=5199 pid=5469 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=7 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="test_changes"

type=CWD msg=audit(1485357520.702:868):  cwd="/opt"

type=PATH msg=audit(1485357520.702:868): item=0 name="secret.txt" inode=26244598 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:usr_t:s0 objtype=NORMAL


However, when looking at the output from go-audit, no events are recorded. We've tried both with go-audit set to output to stdout, and also to a file.



Running an strace on go-audit, it looks like it's opening up a NETLINK socket, which I assume is the connection to auditd. It can also be seen that some data is received over the socket, in line with periodic entries in the audit.log, however it does not seem like any data is being received specifically when the file access audit entries are written by auditd. (Can't necessarily say this categorically).



socket(PF_NETLINK, SOCK_RAW, 9)         = 4

bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0

setsockopt(4, SOL_SOCKET, SO_RCVBUF, [16384], 4) = 0

getsockopt(4, SOL_SOCKET, SO_RCVBUF, [32768], [4]) = 0

... ...

... ...

write(1, "Started processing eventsn", 26) = 26

recvfrom(4, "L21261253573773773778351351"..., 8970, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 76

futex(0xa0f1d0, FUTEX_WAIT, 0, NULL)    = 0


Any suggestions as to:




  • Why go-audit isn't picking up the events?

  • Further steps that could be taken to investigate if go-audit really is receiving the event information across the socket. (I.e. steps to establish that they are not getting lost on the auditd side)


Edit: I have since tried this locally on Ubunutu 16.10 (as well as the original Centos 7 machine), and have the same results.



Cheers.






linux audit linux-audit







share|improve this question

























  • I suggest you remove Q2 and Q3 and focus on Q1 (Why go-audit isn't picking up the events?) because Q2 is too broad and Q3 is off-topic; this way you risk your post being closed for either reason.

    – countermode
    Jan 25 '17 at 15:43











  • Q2 is more intended as "what additional data might help in answering Q1", and I think that is reasonable. Q3 removed.

    – tomg
    Jan 25 '17 at 15:49














4












4








4


1






We're attempting to use slack's go-audit tool to capture/process linux audit events. More info: https://github.com/slackhq/go-audit



The issue is that the linux audit is correctly picking up events, but these are not being picked up by go-audit, or not correctly output by go-audit.



The example go-audit config file has been modified to have a single rule for capturing information about access to a file /opt/secret.txt



rules:

- -a exit,always -F path=/opt/secret.txt -F perm=wra -k test_changes


The full go-audit config file is here:
https://gist.github.com/tom-chaoscube/fc2f14b448650ea4018620bbbf2c3345



After running go-audit, we can see that this rule has been successfully deployed:



# auditctl -l

-w /opt/secret.txt -p rwa -k test_changes


An attempt to access the file is made, and an audit record can be seen in the audit log file:



$ cat secret.txt

# cat /var/log/audit/audit.log



type=SYSCALL msg=audit(1485357520.702:868): arch=c000003e syscall=2 success=yes exit=3 a0=7ffee46830dc a1=0 a2=1fffffffffff0000 a3=7ffee4681670 items=1 ppid=5199 pid=5469 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=7 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="test_changes"

type=CWD msg=audit(1485357520.702:868):  cwd="/opt"

type=PATH msg=audit(1485357520.702:868): item=0 name="secret.txt" inode=26244598 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:usr_t:s0 objtype=NORMAL


However, when looking at the output from go-audit, no events are recorded. We've tried both with go-audit set to output to stdout, and also to a file.



Running an strace on go-audit, it looks like it's opening up a NETLINK socket, which I assume is the connection to auditd. It can also be seen that some data is received over the socket, in line with periodic entries in the audit.log, however it does not seem like any data is being received specifically when the file access audit entries are written by auditd. (Can't necessarily say this categorically).



socket(PF_NETLINK, SOCK_RAW, 9)         = 4

bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0

setsockopt(4, SOL_SOCKET, SO_RCVBUF, [16384], 4) = 0

getsockopt(4, SOL_SOCKET, SO_RCVBUF, [32768], [4]) = 0

... ...

... ...

write(1, "Started processing eventsn", 26) = 26

recvfrom(4, "L21261253573773773778351351"..., 8970, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 76

futex(0xa0f1d0, FUTEX_WAIT, 0, NULL)    = 0


Any suggestions as to:




  • Why go-audit isn't picking up the events?

  • Further steps that could be taken to investigate if go-audit really is receiving the event information across the socket. (I.e. steps to establish that they are not getting lost on the auditd side)


Edit: I have since tried this locally on Ubunutu 16.10 (as well as the original Centos 7 machine), and have the same results.



Cheers.






linux audit linux-audit







share|improve this question
















We're attempting to use slack's go-audit tool to capture/process linux audit events. More info: https://github.com/slackhq/go-audit



The issue is that the linux audit is correctly picking up events, but these are not being picked up by go-audit, or not correctly output by go-audit.



The example go-audit config file has been modified to have a single rule for capturing information about access to a file /opt/secret.txt



rules:

- -a exit,always -F path=/opt/secret.txt -F perm=wra -k test_changes


The full go-audit config file is here:
https://gist.github.com/tom-chaoscube/fc2f14b448650ea4018620bbbf2c3345



After running go-audit, we can see that this rule has been successfully deployed:



# auditctl -l

-w /opt/secret.txt -p rwa -k test_changes


An attempt to access the file is made, and an audit record can be seen in the audit log file:



$ cat secret.txt

# cat /var/log/audit/audit.log



type=SYSCALL msg=audit(1485357520.702:868): arch=c000003e syscall=2 success=yes exit=3 a0=7ffee46830dc a1=0 a2=1fffffffffff0000 a3=7ffee4681670 items=1 ppid=5199 pid=5469 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=7 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="test_changes"

type=CWD msg=audit(1485357520.702:868):  cwd="/opt"

type=PATH msg=audit(1485357520.702:868): item=0 name="secret.txt" inode=26244598 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:usr_t:s0 objtype=NORMAL


However, when looking at the output from go-audit, no events are recorded. We've tried both with go-audit set to output to stdout, and also to a file.



Running an strace on go-audit, it looks like it's opening up a NETLINK socket, which I assume is the connection to auditd. It can also be seen that some data is received over the socket, in line with periodic entries in the audit.log, however it does not seem like any data is being received specifically when the file access audit entries are written by auditd. (Can't necessarily say this categorically).



socket(PF_NETLINK, SOCK_RAW, 9)         = 4

bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0

setsockopt(4, SOL_SOCKET, SO_RCVBUF, [16384], 4) = 0

getsockopt(4, SOL_SOCKET, SO_RCVBUF, [32768], [4]) = 0

... ...

... ...

write(1, "Started processing eventsn", 26) = 26

recvfrom(4, "L21261253573773773778351351"..., 8970, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 76

futex(0xa0f1d0, FUTEX_WAIT, 0, NULL)    = 0


Any suggestions as to:




  • Why go-audit isn't picking up the events?

  • Further steps that could be taken to investigate if go-audit really is receiving the event information across the socket. (I.e. steps to establish that they are not getting lost on the auditd side)


Edit: I have since tried this locally on Ubunutu 16.10 (as well as the original Centos 7 machine), and have the same results.



Cheers.






linux audit linux-audit




linux audit linux-audit






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 25 '17 at 17:27







tomg

















asked Jan 25 '17 at 15:34









tomgtomg

212




212













  • I suggest you remove Q2 and Q3 and focus on Q1 (Why go-audit isn't picking up the events?) because Q2 is too broad and Q3 is off-topic; this way you risk your post being closed for either reason.

    – countermode
    Jan 25 '17 at 15:43











  • Q2 is more intended as "what additional data might help in answering Q1", and I think that is reasonable. Q3 removed.

    – tomg
    Jan 25 '17 at 15:49



















  • I suggest you remove Q2 and Q3 and focus on Q1 (Why go-audit isn't picking up the events?) because Q2 is too broad and Q3 is off-topic; this way you risk your post being closed for either reason.

    – countermode
    Jan 25 '17 at 15:43











  • Q2 is more intended as "what additional data might help in answering Q1", and I think that is reasonable. Q3 removed.

    – tomg
    Jan 25 '17 at 15:49

















I suggest you remove Q2 and Q3 and focus on Q1 (Why go-audit isn't picking up the events?) because Q2 is too broad and Q3 is off-topic; this way you risk your post being closed for either reason.

– countermode
Jan 25 '17 at 15:43





I suggest you remove Q2 and Q3 and focus on Q1 (Why go-audit isn't picking up the events?) because Q2 is too broad and Q3 is off-topic; this way you risk your post being closed for either reason.

– countermode
Jan 25 '17 at 15:43













Q2 is more intended as "what additional data might help in answering Q1", and I think that is reasonable. Q3 removed.

– tomg
Jan 25 '17 at 15:49





Q2 is more intended as "what additional data might help in answering Q1", and I think that is reasonable. Q3 removed.

– tomg
Jan 25 '17 at 15:49










1 Answer
1






active

oldest

votes


















3














Resolved.



The answer to this problem is that auditd was still running on the systems.



Simply stopping auditd and restarting go-audit enabled the audit data to be received:



sudo service auditd stop





share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f340082%2flinux-audit-events-not-passed-to-go-audit%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    3














    Resolved.



    The answer to this problem is that auditd was still running on the systems.



    Simply stopping auditd and restarting go-audit enabled the audit data to be received:



    sudo service auditd stop





    share|improve this answer






























      3














      Resolved.



      The answer to this problem is that auditd was still running on the systems.



      Simply stopping auditd and restarting go-audit enabled the audit data to be received:



      sudo service auditd stop





      share|improve this answer




























        3












        3








        3







        Resolved.



        The answer to this problem is that auditd was still running on the systems.



        Simply stopping auditd and restarting go-audit enabled the audit data to be received:



        sudo service auditd stop





        share|improve this answer















        Resolved.



        The answer to this problem is that auditd was still running on the systems.



        Simply stopping auditd and restarting go-audit enabled the audit data to be received:



        sudo service auditd stop






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Feb 21 at 14:02









        Aneesh Dogra

        1034




        1034










        answered Jan 25 '17 at 17:41









        tomtom

        312




        312






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f340082%2flinux-audit-events-not-passed-to-go-audit%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to make a Squid Proxy server?

            Image
            1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari ...
            Read more

            第一次世界大戦

            Image
            この項目「 第一次世界大戦 」は翻訳されたばかりのものです。不自然あるいは曖昧な表現などが含まれる可能性があり、このままでは読みづらいかもしれません。(原文:ドイツ語版&oldid=173272248、英語版&oldid=821659949) 修正、加筆に協力し、現在の表現をより原文に近づけて下さる方を求めています。ノートページや履歴も参照してください。 ( 2018年5月 ) 第一次世界大戦 (だいいちじせかいたいせん、英語: World War I 、略称: WWI )は、1914年7月28日から1918年11月11日にかけて、連合国対中央同盟国の戦闘により繰り広げられた世界大戦である。 第一次世界大戦 上段:西部戦線の戦場 中段左:ドイツ軍のアルバトロス D.III複葉機 中段右:イギリス軍のMk.IV戦車 下段左:ソンムの戦いでのヴィッカース重機関銃と英兵 下段右:ガリポリの戦いで沈む英国戦艦イレジスティブル 戦争 :第一次世界大戦 年月日 :1914年7月28日 - 1918年11月11日 場所 :ヨーロッパ、中東、アフリカ、中国、太平洋 結果 :連合国(協商国)の勝利 交戦勢力 連合国 フランス共和国 イギリス帝国 ロシア帝国 セルビア王国 モンテネグロ王国 ベルギー 大日本帝国 イタリア王国 ルーマニア王国 ポルトガル共和国 アメリカ合衆国 ギリシャ王国 中華民国(北京政府) 他多数 中央同盟国 ドイツ帝国 オーストリア=ハンガリー帝国 オスマン帝国 ブルガリア王国 ほか共同参戦国あり 指導者・指揮官 ジョルジュ・クレマンソー レイモン・ポアンカレ フェルディナン・フォッシュ ジョージ5世 ハーバート・ヘンリー・アスキス ホレイショ・ハーバート・キッチナー デビッド・ロイド・ジョージ ニコライ2世 ペータル1世 ニコラ1世 アルベール1世 大正天皇 大隈重信 寺内正毅 原敬 ヴィットーリオ・エマヌエーレ3世 ヴィットーリオ・オルランド フェルディナンド1世 ウッドロウ・ウィルソン アレクサンドロス1世 段祺瑞 他多数 (英語版) ヴィルヘルム2世 パウル・フォン・ヒン...
            Read more

            Touch on Surface Book

            Image
            0 How can I make touch work on my Surface Book? About my Surface Book: Model: Intel Core i7-6600 U @ 2.60 GHz with 8 GB Ram and Nvidia GPU OS: Ubuntu 17.04 Latest, kernel 4.10.0-13-generic System outputs on Ubuntu: ~$ xinput list ⎡ Virtual core pointer id=2 [master pointer (3)] ⎜ ↳ Virtual core XTEST pointer id=4 [slave pointer (2)] ⎜ ↳ USB OPTICAL MOUSE id=8 [slave pointer (2)] ⎜ ↳ Microsoft Surface Keyboard Consumer Control id=10 [slave pointer (2)] ⎜ ↳ Microsoft Surface Keyboard Touchpad id=11 [slave pointer (2)] ⎣ Virtual core keyboard id=3 [master keyboard (2)] ↳ Virtual core XTEST keyboard id=5 [slave keyboard (3)] ...
            Read more