Ubuntu 16.10 auditd possible incompatibility

[wuurrd]

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

When attempting to build and run go-audit I find that no messages are received on ubuntu 16.10. auditctl -l shows the rules being there, but all messages that come in have Seq==0, and they seem to be responses to the config change heartbeat. (used the examples/go-audit/go-audit.yaml but modified to get output to stdout)

Reproducible in:

go-audit version: 2cd7fc8
OS version(s): Ubuntu server 16.10

Expected result:

We should get messages for the hooked syscalls.

Actual result:

No messages are received

[nbrownus]

Try disabling auditd with sudo systemctl stop auditd.service

[nbrownus]

Feel free to re-open this issue if it is still valid.

[bob22233]

This step of running sudo systemctl stop auditd.service should be better documented.

[siyuanpeng]

Do we know why go-audit doesnt work with auditd now?

[nbrownus]

The reason they don't play well together is that go-audit and auditd use a netlink socket to receive audit events from the kernel, only one process can own that socket at a time.

[siyuanpeng]

Was there any change on audit netlink? both go-audit and auditd seem working fine together on my vm with older version of linux.

[nbrownus]

Nope, go-audit and auditd are likely fighting each other on the socket in your case. Enable https://github.com/slackhq/go-audit/blob/master/go-audit.yaml.example#L18 and you should see the missed message log lines.

[siyuanpeng]

Got it. Thanks.