Thanks, I'll try building with the actual latest in a bit.

Secondary question: the reason for what I'm working on is that we want to be able to audit what folks do as root on our production hosts.  We're not a bank, and a perfect solution is not required, but we do need to be able to take reasonable steps to find out if people with access are doing bad things.

Is this setup reasonable for that purpose?  I know that's a loaded question and I can answer any questions anyone has that are necessary to figure this out.  I am not asking so much about rules, but about architecture: logging according to whatever rules we set up, to the local audit.log and immediately to a remote using audisp-remote, so the log can't be easily manipulated.


On Wed, Jul 13, 2016 at 8:57 AM, Steve Grubb <sgrubb@redhat.com> wrote:
On Wednesday, July 13, 2016 8:47:58 AM EDT Chris Nandor wrote:
> Hi, I had some odd behavior to report.
>
> I am running ubuntu 12.04.  Using the default auditd and audispd-plugins
> packages for my release, I was able to get logs sent to local syslog and to
> a remote auditd server (same basic configuration), but the entries were
> being buffered somewhere (I think on the client side), and if the server
> died reconnections didn't happen.
>
> So, I wanted a more recent version, so I compiled audit-userspace from the
> github src mirror,* trunk@1341.

The github repo is a mirror of svn and is not always up to date. The issue you
are seeing is fixed in the next commit after the mirror stops.

https://fedorahosted.org/audit/changeset/1342

if you want the lastest you can:

svn co http://svn.fedorahosted.org/svn/audit/trunk

and then generate from there. I am planning to release audit-2.6.5 tomorrow.
So, if anyone can test the current code, I'd really appreciate it. I'm hoping
the next release settles down the audit code.


> When I did, I got some weird results.  For example, I expected got
> something like this in my audit.log:
>
>   node=host.example.com type=CWD msg=audit(1468363871.644:3279856):
>  cwd="/etc/audisp"
>
> And that was as expected.  In syslog, I expected to get:
>
>   Jul 13 08:34:53 host audispd: node=host.loc.example.com type=CWD
> msg=audit(1468363871.644:3279856):  cwd="/etc/audisp"
>
> But instead, I got:
>
>   Jul 13 08:34:53 host audispd: type=CWD msg=node=host.loc.example.com
> type=CWD msg=audit(1468363871.644
>
> As you can see, the whole thing was prepended with "type=CWD msg=", and the
> line was truncated.  Similarly, on the remote host, I got the same thing:
>
>   type=CWD msg=node=host.loc.example.com type=CWD msg=audit(1468363871.644
>
> I noticed that the most recent version of the src for ubuntu was 2.4.5, so
> I grabbed the src tarball from packages.ubuntu and built it, and now
> everything looks fine.  The exact same line I see in my audit.log shows up
> in the remote audit.log, with no buffering.  When I restart the remote
> auditd server or client, it reconnects.  syslog has same entry (prepended
> with the timestamp etc.).  Everything seems happy now.
>
>
> *For some reason I had to define `CC_FOR_BUILD=gcc` in my shell when I ran
> `make` from the svn/git src.  I did not require this when building 2.4.5
> from the ubuntu src.

I think that should have been detected during configure.

-Steve