Re: configuration for busy docker host

On Wednesday, August 22, 2018 10:49:20 AM EDT Frederik Bosch wrote: > Hi Steve, > > That was really helpful, again. My aureport looks much healthier now! I > have one remaing question. When running auditctl -s I still have a lost > value of 51 after boot. > > enabled 2 > failure 1 > pid 779 > rate_limit 0 > backlog_limit 8192 > lost 51 > backlog 0 > backlog_wait_time 0 > loginuid_immutable 0 unlocked > > What could be the cause? By default, the audit subsystem reserves 64 slots for audit events. Systemd can easily overrun this before auditd starts. So, you need to boot with the following kernel boot options: audit=1 audit_backlog_limit=8192 Does you have this for boot options? > My aureport now looks like this. > > sudo aureport --start boot --key --summary > > Key Summary Report > =========================== > total key > =========================== > 289 auditlog > 120 specialfiles > 73 docker > 69 privileged > 29 access > 19 perm_mod > 17 delete > 12 actions > 11 audit_rules_networkconfig_modification > 10 cron > 10 modules > 10 login > 6 apparmor_tools > 6 audit_time_rules > 5 systemd_tools > 5 audit_rules_usergroup_modification > 5 pam > 4 power > 3 audittools > 3 group_modification > 3 user_modification > 3 init > 3 modprobe > 3 sshd > 2 apparmor > 2 systemd > 2 export > 2 auditconfig > 2 mail > 2 admin_user_home > 1 audispconfig > 1 MAC-policy > 1 passwd_modification > 1 logins > 1 libpath > 1 localtime > 1 audit_time_ruleszone > 1 sysctl > > If I understand things correctly with failure set to 1, I should find a > message in dmesg due to printk, but I have not found any that is > related. There may be a chance that these were lost before auditd rules were loaded. > My auditd.conf is as follows. > > local_events = yes > write_logs = yes > log_file = /var/log/audit/audit.log > log_group = adm > log_format = RAW > flush = INCREMENTAL_ASYNC > freq = 50 > max_log_file = 8 > num_logs = 5 Btw, these two settings only allow 40Mb of logs. Typically if you really need auditing you need more than this. > priority_boost = 4 > disp_qos = lossy > dispatcher = /sbin/audispd > name_format = NONE > ##name = mydomain > max_log_file_action = keep_logs > space_left = 75 > space_left_action = email > verify_email = yes > action_mail_acct = root > admin_space_left = 50 > admin_space_left_action = halt > disk_full_action = SUSPEND > disk_error_action = SUSPEND > use_libwrap = yes > ##tcp_listen_port = 60 > tcp_listen_queue = 5 > tcp_max_per_addr = 1 > ##tcp_client_ports = 1024-65535 > tcp_client_max_idle = 0 > enable_krb5 = no > krb5_principal = auditd > ##krb5_key_file = /etc/audit/audit.key > distribute_network = no > > Or is it something I should not be worried about? Maybe. Let's see what the boot options are. Also, what kernel version are you using? -Steve