Re: Cannot disable kernel's audit system via auditctl
On Monday, July 24, 2023 5:06:02 PM EDT Samuel Bahr wrote:
`auditctl -D` does not make it go away (outputs `No rules`). auditd
isn't
running at all and this behavior is happening purely from the kernel. These
systems were never set to enabled 2 (locked).
I went ahead and filed a Github issue for this thread:
https://github.com/linux-audit/audit-kernel/issues/146
The maintainer there suggested it's too difficult to debug due to eBPF
programs + AWS's modified kernel.
I think there is data that could help decide where the problem might be. On
one of the systems that is still logging, try running an event type report:
aureport --start yesterday --event --summary -i
This should identify what kind of event is being emitted. Based on that, it
might point to where the problem is.
I've resigned to asking Red Canary to support eBPF mode with
`audit=0`
kernel parameter in their Linux EDR. Let me know if you have any other
ideas.
I'd say collecting summary information about what kind of events are being
logged would be a good start.
-Steve