Cannot disable kernel's audit system via auditctl
by Samuel Bahr
Hi linux-audit,
I'm running a fleet of Linux hosts with Red Canary Linux EDR (Endpoint
Detection and Response) which uses eBPF for gathering telemetry in service `
cfsvcd.service`. In an older configuration, it gathered data from the
kernel's audit system and everything was fine. However, when we switched
cfsvcd to gathering data from eBPF instead, we noticed that the kernel ring
buffer was flooded with audit messages. This is because cfsvcd.service now
stops auditd.service, but leaves the kernel audit system enabled.
I've mitigated this issue by manually running `# auditctl -e 0` on our
hosts (via Puppet). However, I'm running into a strange issue where _some_
hosts (~0.5%) are still logging all audit events to the kernel ring buffer
even after I have disabled the audit system via `# auditctl -e 0`. A `#
auditctl -s` run shows `enabled 0`, yet audit logs continue to flood the
kernel ring buffer.
I'm running Linux kernel 5.4.0-1063-aws on Ubuntu 18.04 with auditctl
v2.8.2. `systemd-journald-audit.socket` is masked & inactive, `
auditd.service` is disabled & inactive.
I cannot entirely disable the audit system via a kernel parameter because
Red Canary Linux EDR fails to start cfsvcd.service as it fails to run some
auditctl command due to no audit support in the kernel:
Jun 28 20:41:04 systemd[1]: Started Canary Forwarder Service.
> Jun 28 20:41:04 cfsvcd[105781]: Found config file at path
> '"/opt/redcanary/config.json"', continuing execution...
> Jun 28 20:41:12 cfsvcd[105781]: component: Sentry
> Jun 28 20:41:12 cfsvcd[105781]: Jun 28 20:41:12.055 INFO Initializing
> Sentry Config { version: "1.4.17.release.[...]", https_proxy: None,
> extra_tags: [("telemetry.source", "eBPF")], logging_enabled: true,
> metrics_enabled: true, [...]}
> Jun 28 20:41:12 cfsvcd[105781]: Failed to setup or configure host system:
> Linux Audit watcher failure: Netlink Error: IO Error: Protocol not
> supported (os error 93)
> Jun 28 20:41:12 cfsvcd[105781]: Received stop. Exiting
> unix::wait_for_signal. Signal: 0, done.is_signaled(): true
> Jun 28 20:41:12 cfsvcd[105781]: Joining async_agent_thread
> Jun 28 20:41:13 cfsvcd[105781]: Attempting to stop subscriber (Ebpf).
> Jun 28 20:41:13 cfsvcd[105781]: Shutting down due to termination signal
> [...]
> Jun 28 20:41:15 cfsvcd[105781]: Subscriber stopped.
> Jun 28 20:41:15 auditctl[106733]: Error - audit support not in kernel
> Jun 28 20:41:15 auditctl[106733]: Cannot open netlink audit socket
> Jun 28 20:41:15 systemd[1]: cfsvcd.service: Service hold-off time over,
> scheduling restart.
> Jun 28 20:41:15 systemd[1]: cfsvcd.service: Scheduled restart job, restart
> counter is at 301.
> Jun 28 20:41:15 systemd[1]: Stopped Canary Forwarder Service.
>
Here's the unit file for cfsvcd.service:
> [Unit]
> Description=Canary Forwarder Service
>
> DefaultDependencies=no
> After=local-fs.target systemd-tmpfiles-setup.service auditd.service
> Before=sysinit.target shutdown.target
> # Replace the auditd service if it is running
> Conflicts=auditd.service shutdown.target
>
> [Service]
> WorkingDirectory=/opt/redcanary
> ExecStart=/opt/redcanary/cfsvcd
> ExecStopPost=-/sbin/auditctl -D
> Restart=always
> TimeoutSec=15
>
> [Install]
> WantedBy=multi-user.target
>
Is this a known issue? Is there a workaround to stop the logging to the
kernel ring buffer? Is there any more information I can provide to help
debug?
Thanks,
Samuel Bahr
Pinterest Sr. Site Reliability Engineer
1 year, 4 months
Re: Comprehensive Documentation on the Linux Audit Framework
by Vincent Abraham
Thanks. Could you also point to portions in the codebase where these
functions are called for monitoring file access? The reason I'm asking for
this is that I'm trying to provide auditing for files of a specific type
and I'm trying to understand how would that work. Any help would be
appreciated.
1 year, 6 months