Audit unnecessarily activated in Azure scylla images

[ShlomiBalalis]

Issue description

• [x] This issue is a regression.
• [ ] It is unknown if this issue is a regression.

In the Azure images created for 2023.1, Audit logging is activated by default, flooding the logs with a lot of unnecessary chatter:

2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: EXECVE argc=3 a0="bash" a1="-c" a2=2F7573722F62696E2F6E6F6465746F6F6C202D752063617373616E647261202D7077202763617373616E647261272020676F73736970696E666F20
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: CWD cwd="/home/scyllaadm"
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: PATH item=0 name="/bin/bash" inode=1597 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=4690 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: PROCTITLE proctitle=62617368002D63002F7573722F62696E2F6E6F6465746F6F6C202D752063617373616E647261202D7077202763617373616E647261272020676F73736970696E666F20
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: AUDIT1420 subj_apparmor=unconfined
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit[12793]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=564ced3f7b20 a1=564ced3f58b0 a2=564ced3f7b60 a3=8 items=3 ppid=12699 pid=12793 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=21 comm="nodetool" exe="/usr/bin/env" subj=? key="auoms"
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: EXECVE argc=8 a0="/usr/bin/env" a1="bash" a2="/usr/bin/nodetool" a3="-u" a4="cassandra" a5="-pw" a6="cassandra" a7="gossipinfo"
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: CWD cwd="/home/scyllaadm"
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: PATH item=0 name="/usr/bin/nodetool" inode=22557 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: PATH item=1 name="/usr/bin/env" inode=1780 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: PATH item=2 name="/lib64/ld-linux-x86-64.so.2" inode=4690 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=? nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: PROCTITLE proctitle=62617368002D63002F7573722F62696E2F6E6F6465746F6F6C202D752063617373616E647261202D7077202763617373616E647261272020676F73736970696E666F20
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit: AUDIT1420 subj_apparmor=unconfined
2023-07-02T22:27:14+00:00 rolling-upgrade--ubuntu-focal-db-node-eastus-3   !NOTICE | audit[12793]: SYSCALL arch=c000003e syscall=59 success=no exit=-2 a0=7ffd928da670 a1=7ffd928da8e0 a2=7ffd928da920 a3=8000000004007 items=1 ppid=12699 pid=12793 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=21 comm="nodetool" exe="/usr/bin/env" subj=? key="auoms"

Is there a reason it was activated? And specifically only in Azure images?

Installation details

Kernel Version: 5.15.0-1014-azure Scylla version (or git commit hash): 5.2.0~dev-20220805.cf0f912e599d with build-id 64417404297f48e5f9be9c0590588c806b769a04

Cluster size: 4 nodes (Standard_L8s_v3)

Scylla Nodes used in this run:

• rolling-upgrade--ubuntu-focal-db-node-66470668-eastus-4 (52.146.21.158 | 10.0.0.8) (shards: 7)
• rolling-upgrade--ubuntu-focal-db-node-66470668-eastus-3 (52.146.21.156 | 10.0.0.7) (shards: 7)
• rolling-upgrade--ubuntu-focal-db-node-66470668-eastus-2 (52.146.20.77 | 10.0.0.6) (shards: 7)
• rolling-upgrade--ubuntu-focal-db-node-66470668-eastus-1 (52.146.18.174 | 10.0.0.5) (shards: 7)

OS / Image: /subscriptions/6c268694-47ab-43ab-b306-3c5514bc4112/resourceGroups/SCYLLA-IMAGES/providers/Microsoft.Compute/images/scylla-5.2.0-dev-x86_64-2022-08-05T04-27-11Z (azure: eastus)

Test: rolling-upgrade-azure-image-test Test id: 66470668-b584-420e-b4af-3e004c97a0d5 Test name: enterprise-2023.1/rolling-upgrade/rolling-upgrade-azure-image-test Test config file(s):

• rolling-upgrade.yaml

Logs and commands

- Restore Monitor Stack command: `$ hydra investigate show-monitor 66470668-b584-420e-b4af-3e004c97a0d5` - Restore monitor on AWS instance using [Jenkins job](https://jenkins.scylladb.com/view/QA/job/QA-tools/job/hydra-show-monitor/parambuild/?test_id=66470668-b584-420e-b4af-3e004c97a0d5) - Show all stored logs command: `$ hydra investigate show-logs 66470668-b584-420e-b4af-3e004c97a0d5` ## Logs: - **db-cluster-66470668.tar.gz** - [https://cloudius-jenkins-test.s3.amazonaws.com/66470668-b584-420e-b4af-3e004c97a0d5/20230702_234805/db-cluster-66470668.tar.gz](https://cloudius-jenkins-test.s3.amazonaws.com/66470668-b584-420e-b4af-3e004c97a0d5/20230702_234805/db-cluster-66470668.tar.gz) - **sct-runner-events-66470668.tar.gz** - [https://cloudius-jenkins-test.s3.amazonaws.com/66470668-b584-420e-b4af-3e004c97a0d5/20230702_234805/sct-runner-events-66470668.tar.gz](https://cloudius-jenkins-test.s3.amazonaws.com/66470668-b584-420e-b4af-3e004c97a0d5/20230702_234805/sct-runner-events-66470668.tar.gz) - **sct-66470668.log.tar.gz** - [https://cloudius-jenkins-test.s3.amazonaws.com/66470668-b584-420e-b4af-3e004c97a0d5/20230702_234805/sct-66470668.log.tar.gz](https://cloudius-jenkins-test.s3.amazonaws.com/66470668-b584-420e-b4af-3e004c97a0d5/20230702_234805/sct-66470668.log.tar.gz) - **monitor-set-66470668.tar.gz** - [https://cloudius-jenkins-test.s3.amazonaws.com/66470668-b584-420e-b4af-3e004c97a0d5/20230702_234805/monitor-set-66470668.tar.gz](https://cloudius-jenkins-test.s3.amazonaws.com/66470668-b584-420e-b4af-3e004c97a0d5/20230702_234805/monitor-set-66470668.tar.gz) - **loader-set-66470668.tar.gz** - [https://cloudius-jenkins-test.s3.amazonaws.com/66470668-b584-420e-b4af-3e004c97a0d5/20230702_234805/loader-set-66470668.tar.gz](https://cloudius-jenkins-test.s3.amazonaws.com/66470668-b584-420e-b4af-3e004c97a0d5/20230702_234805/loader-set-66470668.tar.gz) [Jenkins job URL](https://jenkins.scylladb.com/job/enterprise-2023.1/job/rolling-upgrade/job/rolling-upgrade-azure-image-test/8/) [Argus](https://argus.scylladb.com/test/fc869933-dcdf-4130-9dd4-b9c0c4c10b53/runs?additionalRuns[]=66470668-b584-420e-b4af-3e004c97a0d5)