3:28 p.m.
Dear all,
I have a situation where there are two audit clients on the same machine:
one of them is auditd, and another one is an IDS client that uses the audit
subsystem directly. By looking at the source (
http://lxr.free-electrons.com/source/kernel/audit.c?v=3.13#L787), I suspect
that there might be no provision in the kernel for multiple audit subsystem
userland daemons running in parallel (only one pid, only one netlink socket
in the kernel). I could not find any documentation confirming or denying
that.
Has anyone tried that before? What would actually happen if two different
audit clients tried to use the same interface to the audit subsystem in the
kernel?
Yours,
--
Max
8:30 p.m.
On 16/02/10, Max Timchenko wrote:
Dear all,
I have a situation where there are two audit clients on the same machine:
one of them is auditd, and another one is an IDS client that uses the audit
subsystem directly. By looking at the source (
http://lxr.free-electrons.com/source/kernel/audit.c?v=3.13#L787), I suspect
that there might be no provision in the kernel for multiple audit subsystem
userland daemons running in parallel (only one pid, only one netlink socket
in the kernel). I could not find any documentation confirming or denying
that.
Has anyone tried that before? What would actually happen if two different
audit clients tried to use the same interface to the audit subsystem in the
kernel?
With recent changes upstream, the second would be denied with -EEXIST.
Before that, the older one would be starved out. And versions even
older might actually have the newer one orphaned in the very occasional
race where the older one shuts down after the second one starts.
To quote Highlander, "There Can Be Only One".
There is also planning to be done to allow one auditd per user
namespace to support containers, but we aren't there yet.
Max
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
2:16 a.m.
On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
There is also planning to be done to allow one auditd per user
namespace to support containers, but we aren't there yet.
To add to that, we will also provide better support for containers
with a single auditd instance (the microservices case) by providing
better marking of audit records to help indicate which namespace set
(what the kernel would consider a container) generated the audit
event.
--
paul moore
www.paul-moore.com
2:19 p.m.
On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 16/02/10, Max Timchenko wrote:
> Has anyone tried that before? What would actually happen if two different
> audit clients tried to use the same interface to the audit subsystem in
the
> kernel?
With recent changes upstream, the second would be denied with -EEXIST.
Before that, the older one would be starved out. And versions even
older might actually have the newer one orphaned in the very occasional
race where the older one shuts down after the second one starts.
To quote Highlander, "There Can Be Only One".
Thanks Richard and Paul for your quick responses. It's great to hear that
support for
containers is being worked on.
I have read the docs on audispd(8) - is it something auditd and the other
client could use to enable multiple access? It sounds like audispd does
support
multiple clients, but I would guess all clients would have to use the
audispd plugin
interface instead of the usual kernel API.
What is missing from the documentation for me is the relationship between
audispd
and auditd - whether audispd is an optional component of auditd that can
run
concurrently, or audispd is a replacement of auditd when configured
(and then auditd cannot run on the same machine
without running into the same multi-client issues).
Yours,
--
Max
10:39 p.m.
On 16/02/11, Max Timchenko wrote:
On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs
<rgb(a)redhat.com> wrote:
> On 16/02/10, Max Timchenko wrote:
> > Has anyone tried that before? What would actually happen if two different
> > audit clients tried to use the same interface to the audit subsystem in
> the
> > kernel?
>
> With recent changes upstream, the second would be denied with -EEXIST.
>
> Before that, the older one would be starved out. And versions even
> older might actually have the newer one orphaned in the very occasional
> race where the older one shuts down after the second one starts.
>
> To quote Highlander, "There Can Be Only One".
Thanks Richard and Paul for your quick responses. It's great to hear
that support for containers is being worked on.
I have read the docs on audispd(8) - is it something auditd and the
other client could use to enable multiple access? It sounds like
audispd does support multiple clients, but I would guess all clients
would have to use the audispd plugin interface instead of the usual
kernel API.
What is missing from the documentation for me is the relationship
between audispd and auditd - whether audispd is an optional component
of auditd that can run concurrently, or audispd is a replacement of
auditd when configured (and then auditd cannot run on the same machine
without running into the same multi-client issues).
I will defer to Steve Grubb on this quesition as the userspace tools are
his domain of expertise.
Yours,
--
Max
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
1:13 p.m.
On Thursday, February 11, 2016 03:19:27 PM Max Timchenko wrote:
I have read the docs on audispd(8) - is it something auditd and the
other
client could use to enable multiple access? It sounds like audispd does
support multiple clients, but I would guess all clients would have to use
the audispd plugin interface instead of the usual kernel API.
Yes. This is intentional and has existed for about 10 years.
What is missing from the documentation for me is the relationship
between
audispd and auditd - whether audispd is an optional component of auditd that
can run concurrently
Yes. If you look in auditd.conf, you will see that there is a configuration
option, dispatcher, which allows you to select another consumer of audit
events. Normally the selection of /sbin/audispd is the best because it allows
"unlimited" multiplexing of the audit stream.
You can send events to syslog, setroubleshoot, and remotely log events in an
aggregator all at the same time.
, or audispd is a replacement of auditd when configured
(and then auditd cannot run on the same machine
without running into the same multi-client issues).
No. The audispd man page says, "audispd is an audit event multiplexor. It has
to be started by the audit daemon in order to get events."
HTH...
-Steve
12:50 p.m.
On Wednesday, February 10, 2016 04:28:26 PM Max Timchenko wrote:
I have a situation where there are two audit clients on the same
machine:
one of them is auditd, and another one is an IDS client that uses the audit
subsystem directly.
It should not be designed that way. For compliance purposes many people have
to save the audit logs. I have given several speeches on how to do this so
that everyone has a correct model to work from. The latest speech on audit+IDS
is here:
http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf
The main idea is that auditd has a builtin facility for sharing events,
auditspd. The IDS system can clip into it and get the event stream. If it
wants events as they come "off the wire" they should set the format option to
BINARY and they will get it exactly as it was handed to auditd. More typical
is to use STRING format so that they can use auparse to dissect the event for
processing.
By looking at the source (
http://lxr.free-electrons.com/source/kernel/audit.c?v=3.13#L787), I suspect
that there might be no provision in the kernel for multiple audit subsystem
userland daemons running in parallel (only one pid, only one netlink socket
in the kernel). I could not find any documentation confirming or denying
that.
There is not. Nor should there be. With the ease in which analysis programs
can get the audit stream, they should not have to resort to exclusive access.
For example, setroubleshooter plugin puts something in /etc/audisp/plugins.d/
so that it can see events in realtime. Its a good example of "doing it right".
Has anyone tried that before? What would actually happen if two
different
audit clients tried to use the same interface to the audit subsystem in the
kernel?
Last one wins.
-Steve
3553
days inactive
3555
days old
linux-audit@lists.linux-audit.osci.io
6 comments
4 participants
participants (4)
-
Max Timchenko -
Paul Moore -
Richard Guy Briggs -
Steve Grubb