inspec hangs on command('ausearch -k docker').stdout

[atomic111]

Description

I connect via inspec shell -t ssh://vagrant@127.0.0.1 --port 2201 --key-files vm_docker/.vagrant/machines/centos7/virtualbox/private_key --sudo to a vagrant box and want to execute command('ausearch -k docker').stdout to get the audit log for the docker process.

InSpec and Platform Version

0.21.1

Replication Case

Install auditd and start the daemon my config looks like this:

auditd.conf

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6 
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port = 
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

audit.rules

-D
-b 320

-w /usr/bin/docker -k docker
-w /var/lib/docker -k docker
-w /etc/docker -k docker
-w /var/run/docker.sock -k docker
-w /usr/lib/systemd/system/docker.service -k docker
-w /usr/lib/systemd/system/docker.socket -k docker
-w /etc/docker/daemon.json -k docker
-w /usr/bin/docker-containerd -k docker
-w /usr/bin/docker-runc -k docker

• start a docker container to produce a audit log entry
• inspec shell -t ssh://vagrant@127.0.0.1 --port 2201 --key-files vm_docker/.vagrant/machines/centos7/virtualbox/private_key --sudo
• command('ausearch -k docker').stdout
• i expect to see the auditd log messages for docker

It looks like that the ausearch tool can not query the auditd daemon. Because if i use command('sh -c "ausearch -k docker > output.log"').stdout then it creates the output.log, but it is empty.

[atomic111]

an addition. i tested with ssh -i vm_docker/.vagrant/machines/centos7/virtualbox/private_key -p 2201 vagrant@127.0.0.1 "sudo ausearch -k docker" and it was not working, but if i add the -t flag to ssh -i vm_docker/.vagrant/machines/centos7/virtualbox/private_key -p 2201 -t vagrant@127.0.0.1 "sudo ausearch -k docker" it is working. maybe the ausearch needs a tty

[chris-rock]

@atomic111 Thanks for reporting that issue. This sounds strange. Is the following working?

command('ausearch -k docker > output.log')
command('cat output.log').stdout

[atomic111]

i found the solution. i have to add the parameter --input-logs like this command('ausearch --input-logs -k docker | grep docker | grep privileged').stdout and i got the expected output => "type=EXECVE msg=audit(1464162224.534:6361): argc=6 a0=\"docker\" a1=\"exec\" a2=\"-it\" a3=\"--privileged\" a4=\"ubuntu-test\" a5=\"bash\"\n"

the explanation is, that ausearch with --input-logs read the location of the log file from the auditd.conf and not from stdin.

--input-logs Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job

@chris-rock thanks for your help

[chris-rock]

Thanks @atomic111 for the quick turn-around. This is really good to know.