On 2020-04-14 09:27, Luca BRUNO wrote: > Hi all, > I'm trying to re-spin a very old thread related to multicast listeners > and audit events to kmsg. > > One surprising kernel behavior when using only a multicast listener > to collect audit events (in this case, systemd-journald) is that > audit events end up spamming the console [0]. > > [0] https://github.com/systemd/systemd/issues/15324 This is not surprising, since the multicast audit socket is not considered a reliable sink for the audit log and thus cannot be relied upon to key the decision to forward potentially lost messages to the system log.

> Apparently there isn't a clear consensus on how this should be > approached. Looking at the github and bugzilla tickets, it seems to me > that Eric and Paul initially had in mind some logic based on multicast > listener detection, while Richard doesn't deem that reliable and > suggests an explicit configuration. I'm regretting having developped this feature due to the problems it has caused the audit developpers and innocent bystanders. Instead, an audit daemon plugin should have been used to direct log records to journald.

Well, Steve, Paul and myself are all fairly firmly on the side of the problem being in systemd and its overreach.

> For Richard and the "explicit configuration" approach in particular, I'm > missing some further details: > * Is the current behavior considered buggy, or is that intended to be > kept as the default? The current systemd behaviour of unilatterally enabling audit logging is considered buggy. The current audit kernel behaviour is considered intentional.

> * Would this be tweaked via a (boolean?) sysctl, and what would be the > semantics of flipping it? It would be controlled via a new audit unicast netlink message similar to the one that enabled auditing in the first place by systemd that would explicitly disable klog when a multicast client is connected.

On Mi, 15.04.20 11:53, Richard Guy Briggs (rgb(a)redhat.com) wrote: > On 2020-04-14 09:27, Luca BRUNO wrote: > > Hi all, > > I'm trying to re-spin a very old thread related to multicast listeners > > and audit events to kmsg. > > > > One surprising kernel behavior when using only a multicast listener > > to collect audit events (in this case, systemd-journald) is that > > audit events end up spamming the console [0]. > > > > [0] https://github.com/systemd/systemd/issues/15324 > > This is not surprising, since the multicast audit socket is not > considered a reliable sink for the audit log and thus cannot be relied > upon to key the decision to forward potentially lost messages to the > system log. kmsg is not reliable either, it aggressively and silently drops messages if the log buffer runs full, which it does pretty quickly. hence there's really no difference here if data is written to the mcast socket or to kmsg, in both cases messages are dropped when the buffer limits are hit, hence it should be entirely fine to do only one of the twoif the unicast client to audit is not running. > > Apparently there isn't a clear consensus on how this should be > > approached. Looking at the github and bugzilla tickets, it seems to me > > that Eric and Paul initially had in mind some logic based on multicast > > listener detection, while Richard doesn't deem that reliable and > > suggests an explicit configuration. > > I'm regretting having developped this feature due to the problems it has > caused the audit developpers and innocent bystanders. Instead, an audit > daemon plugin should have been used to direct log records to > journald. I am sorry, but this doesn't work for us. We do not want to do IPC to some audit daemon (journald runs during early boot and in the initrd, it has a very special relationship with early boot stuff and PID1, and thus being a client to other daemons is highly problematic, if those other daemons are managed by systemd as well, and run only during later boot). In fact we don't even want the dependency on the audit userspace package at all. In systemd we just think that audit information is pretty interesting even if you don't want to buy into the whole government regulation stuff, even if you don't want the auditd to run, and the full audit package installed. i.e. we want to collect the data as one of our various data streams, as a secondary consumer of it, and leave it to the audit package itself to do everything else and be the primary consumer of it. Using the multicast group is our way of saying: "we don't want to own the audit stream, you can keep it; we just want to have a look too". I believe that there are plenty of systems where audit logs should be collected but the whole auditd daemon should not be around, i.e. where the usefulness of the data is acknowledged without acknowledging that government regulations matter or the audit package should exist on every single system. > Well, Steve, Paul and myself are all fairly firmly on the side of the > problem being in systemd and its overreach. We explicitly don#t want to own the audit stream, that's why we don#t use the unicast stuff, but only subscribe via the mcast stuff, so that we don't interfere with auditd's own processing if it is running, and we don't exlcude auditd from running. we want a mode where audit is collected, just like that without any auditd package installed, but if you decide to install auditd things just work too. > > For Richard and the "explicit configuration" approach in particular, I'm > > missing some further details: > > * Is the current behavior considered buggy, or is that intended to be > > kept as the default? > > The current systemd behaviour of unilatterally enabling audit logging is > considered buggy. The current audit kernel behaviour is considered > intentional. Well, we try hard to not step on your toes and do not use the unicast stuff and do not pretend to be auditd, so that auditd can be installed and run in parallel to journald with us being in the backseat. It's my understanding that the mcast stuff was added for this kind of thing, except that it never became useful, since it also means that kmsg is spammed by audit.

THere's a usecase for collecting audit but not running the whole audit userspace suite, can't you see that? i.e. i for one am interested in selinux audit msgs, but I am not interested in the audit toolchain I must say, I really am not, and I am pretty sure there are many others like me. But you basically tell us to go away, or buy into the whole audit userspace. > > * Would this be tweaked via a (boolean?) sysctl, and what would be the > > semantics of flipping it? > > It would be controlled via a new audit unicast netlink message similar > to the one that enabled auditing in the first place by systemd that > would explicitly disable klog when a multicast client is connected. It would be excellent to have an option to turn off the kmsg forwarding. Lennart

On Fr, 17.04.20 14:57, Richard Guy Briggs (rgb(a)redhat.com) wrote: > > Well, we try hard to not step on your toes and do not use the unicast > > stuff and do not pretend to be auditd, so that auditd can be installed > > and run in parallel to journald with us being in the backseat. It's my > > understanding that the mcast stuff was added for this kind of thing, > > except that it never became useful, since it also means that kmsg is > > spammed by audit. > > Where your claim falls flat is that systemd/journald is stepping on > auditd's toes by enabling audit. Enabling audit is auditd's job. Again, we are interested in the audit information, because we think it's useful. If we wouldn't enable audit in the kernel we wouldn't get it. Hence we enable audit.

(But see: https://github.com/systemd/systemd/pull/15444 — with that it's now configurable, but it still defaults to on, because we actually think the data is useful, and we think it's useful event without auditd around, regardless if that's because we run in the earliest initrd where there never is auditd around or because we run during normal operation and auditd is simply not installed.) Lennart

> In systemd we just think that audit information is pretty interesting > even if you don't want to buy into the whole government regulation > stuff, even if you don't want the auditd to run, and the full audit > package installed. i.e. we want to collect the data as one of our > various data streams, as a secondary consumer of it, and leave it to > the audit package itself to do everything else and be the primary > consumer of it. > > Using the multicast group is our way of saying: "we don't want to own > the audit stream, you can keep it; we just want to have a look > too". The problem is that on systems without a running audit daemon there is no one to "own" the audit stream so it floods the kmsg, spills onto the console, and everyone's feet get wet. Are we going to blame the source of the stream, or the person who turned on the tap in the first place and caused the mess?

If systemd enables the audit stream, and doesn't want the stream to flood kmsg, it needs to make sure that the stream is directed to a suitable sink, be it auditd or some other daemon.

> > If systemd enables the audit stream, and doesn't want the stream to > > flood kmsg, it needs to make sure that the stream is directed to a > > suitable sink, be it auditd or some other daemon. > > This sounds as if journald should start using the unicast stream. This > basically means auditd is out of the game, and cannot be added in > anymore, because the unicast stream is then owned by journald. It > wouldn't be sufficient to just install the audit package to get > classic audit working anymore. You'd have to reconfigure everything. > > I mean, we try to be non-intrusive, not step into your territory too > much, not replace auditd, not kick auditd out of the game. But you are > basically telling us to do just that? My recommendation is that if you are going to enable audit you should also ensure that auditd is running; that is what I'm telling you.

On Do, 23.04.20 09:50, Paul Moore (paul(a)paul-moore.com) wrote: >>> If systemd enables the audit stream, and doesn't want the stream to >>> flood kmsg, it needs to make sure that the stream is directed to a >>> suitable sink, be it auditd or some other daemon. >> This sounds as if journald should start using the unicast stream. This >> basically means auditd is out of the game, and cannot be added in >> anymore, because the unicast stream is then owned by journald. It >> wouldn't be sufficient to just install the audit package to get >> classic audit working anymore. You'd have to reconfigure everything. >> >> I mean, we try to be non-intrusive, not step into your territory too >> much, not replace auditd, not kick auditd out of the game. But you are >> basically telling us to do just that? > My recommendation is that if you are going to enable audit you should > also ensure that auditd is running; that is what I'm telling you. Well, that's the "audit is my private kingdom" response, right?

People are interested in collecting the audit stream without having the full audit daemon installed. There's useful data in the audit stream, already generated during really early boot, long before auditd runs, i.e. in the initrd. And for smaller systems auditd is not really something people want around.

For example, Fedora CoreOS wants to enable selinux, thus is interested in audit messages, but have no intention to install auditd, in the typical, minimal images they generate. See: https://github.com/systemd/systemd/issues/15324

Lennart -- Lennart Poettering, Berlin -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

On Do, 23.04.20 09:19, Casey Schaufler (casey(a)schaufler-ca.com) wrote: > > For example, Fedora CoreOS wants to enable selinux, thus is interested > > in audit messages, but have no intention to install auditd, in the > > typical, minimal images they generate. See: > > > > https://github.com/systemd/systemd/issues/15324 > > If you can do a better job of consuming audit data than auditd I for one > would be impressed. I've written multiple audit systems over the years > (not this one, but the issues are all familiar and the solutions similar) > and the kernel -> user interface is much, much harder than it looks. The audit support in journald is really not about doing "a better job", or being "faster". Totally not. It's about making a common case easy, that's all. There are at least two very different usecases for the audit data: 1. auditing for the purpose of auditing (i.e. government style) 2. people who just want to debug their frickin selinux issues auditd is great for #1. for #2 people don't want to bother, journald is fine, speed or reliability or any such don't matter, the mcast stuff is definitely good enough, and the benefit of collecting the AVCs via audit from earliest boot on is a lot more interesting and important for such uses than to wonder what happens if the queue runs over...