Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure audit=1 for more accurate auid auditing #253

Closed
jaredledvina opened this issue Jan 10, 2020 · 4 comments · Fixed by #259
Closed

Configure audit=1 for more accurate auid auditing #253

jaredledvina opened this issue Jan 10, 2020 · 4 comments · Fixed by #259
Labels
enhancement

Comments

@jaredledvina
Copy link
Contributor

Is your feature request related to a problem? Please describe.
Currently, in the default audit logs from this project, there's a ton of events with auid=4294967295 which is because they start before the audit daemon is up.

ausearch --uid-effective 4294967295 --just-one
----
time->Tue Jan  7 01:12:46 2020
type=DAEMON_START msg=audit(1578359566.985:2837): op=start ver=2.8.4 format=raw kernel=4.19.0-6-amd64 auid=4294967295 pid=28320 uid=0 ses=4294967295 subj=unconfined  res=success

Describe the solution you'd like
Add audit=1 as an additional grub kernel parameter

Describe alternatives you've considered
N/A at that time

Additional context
See https://manpages.debian.org/testing/auditd/auditd.8.en.html

NOTES
A boot param of audit=1 should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit.
@rndmh3ro
Copy link
Member

Hey @jaredledvina,

I don't know if I want to start configuring grub (and grub2, syslinux?) with this role. That'd be a lot of overhead (testing with docker would be impossible) for such a "small" feature.
However adding this to the README is something I could get behind.

What do you think?

@jaredledvina
Copy link
Contributor Author

Hey @rndmh3ro,

Yeah, I think that's fair. That way folks who are looking to improve the logging accuracy can simply configure it. It also requires a reboot to take effect, so I think that's totally fair.

@rndmh3ro
Copy link
Member

Good to hear! :) Do you want to create a PR for this?

@jaredledvina
Copy link
Contributor Author

Yep!

@jaredledvina jaredledvina mentioned this issue Jan 24, 2020
Merged
rndmh3ro pushed a commit that referenced this issue Jan 25, 2020
@jaredledvina @rndmh3ro
Add kernel parameter information to README (#259)
908d1fa 
* Add kernel parameter information to README

Add initial documentation around configuring audit=1 to reduce the inaccuracies in the auditd logs. 
Closes #253

Signed-off-by: Jared Ledvina <jared@techsmix.net>

* Cleanup spellinng

Signed-off-by: Jared Ledvina <jared@techsmix.net>
@rndmh3ro rndmh3ro mentioned this issue Mar 6, 2020
Merged
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
@jaredledvina @rndmh3ro
Add kernel parameter information to README (dev-sec#259)
0760240 
* Add kernel parameter information to README

Add initial documentation around configuring audit=1 to reduce the inaccuracies in the auditd logs. 
Closes dev-sec#253

Signed-off-by: Jared Ledvina <jared@techsmix.net>

* Cleanup spellinng

Signed-off-by: Jared Ledvina <jared@techsmix.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add kernel parameter information to README
2 participants
@rndmh3ro @jaredledvina