Open rohanc opened 4 years ago
nbrownus
commented
4 years ago It is caused by this bit of code meant to keep ownership of the netlink socket in the event someone or something else tries to take it https://github.com/slackhq/go-audit/blob/master/client.go#L138
You can filter it out via the config https://github.com/slackhq/go-audit/blob/master/examples/go-audit/go-audit.yaml#L37
filters:
- message_type: 1305
regex: .*
rohanc
commented
4 years ago Thanks, I've enabled the filter, but I'm wondering if there is an unnecessary performance impact by having this safety mechanism trigger every few seconds? I gather normal auditd manages without it.
I'm also wondering if the filter would prevent logging about actual changes to audit configuration via the audictl command, so perhaps an option to disable this 'keep ownership' code would be helpful?
If you feel it's important to retain then adding the filter to go-audit.yaml.example would at least help users understand what's going on.
Description
When I run go-audit it logs AUDIT_CONFIG_CHANGE messages every few seconds. Any idea why this is happening? I don't see this when running ordinary auditd.
Reproducible in:
go-auditversion: dev+20200629015509 I also tried with version 1.00 and got the same result. OS version(s): Ubuntu 20.04 LTS kernel 5.4.0-39-generic go v1.13.8Steps to reproduce:
Expected result:
No AUDIT_CONFIG_CHANGE messages. A similar volume of messages as when I run auditd with the same rules.
Actual result:
{"sequence":904,"timestamp":"1593402441.566","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}} {"sequence":905,"timestamp":"1593402446.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}} {"sequence":906,"timestamp":"1593402451.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}