Re: configuration for busy docker host
In my initial message I did not include the output of auditctl -s. In
the meanwhile I have disabled failure (0) and increased the backlog
limited (heavily). As you can see I still have a lost of 52.
While browsing the archives of the list I found MSG00127,
https://www.redhat.com/archives/linux-audit/2017-September/msg00127.html.
Maybe there are similarities with that problem. That user also reported
a high number of last messages.
enabled 2
failure 0
pid 760
rate_limit 0
backlog_limit 524288
lost 52
backlog 0
backlog_wait_time 0
loginuid_immutable 0 unlocked
Hopefully someone is able to help.
On 20-08-18 11:56, Frederik Bosch wrote:
Hello Audit team,
As I have not found a location anywhere else on the web, I am sending
my question to this list. I have an Ubuntu 18.04 machine with auditd
and it acts as a Docker Host machine. I have hardened the system via
this package: https://github.com/konstruktoid/hardening which installs
auditd with the configuration to be found here:
https://github.com/konstruktoid/hardening/blob/master/misc/audit.rules.
The problems I have are related to the directives -f and -b. The
hardening package uses -b 8192 and -f 2. That results in a kernel
panic very quickly because of audit backlog limit exceeded, and that
causes a reboot of the system. Now I wonder what a good configuration
would be. I started reading on the subject and read that -f 2 is
probably the best for security reasons. However, I do not want to have
a system that panics very quickly and reboots.
Should I simply increase the backlog to much higher numbers? Or should
I change -f to not cause a kernel panic? Or am I missing something and
should I change some other configuration? Thanks for your help.
Kind regards,
Frederik Bosch
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit