hi guys,
we are sawing weird issue, we are using auditbeat as pod running on our kubenets cluster, however in some day, we saw there is a large audit events has been write to our work node /var/log/message, and i can confirm auditd service has been disable on the work node. so anything reason happen on this ? thanks for help
a lot auditd events write in /var/log/messages in short time
Sep 7 18:16:52 node-v88jz-11 audit: PROCTITLE proctitle=2F6E657464002D2D64697361626C652D746573736E65742D66696E616C697A65723D74727565002D2D636F6E6669673D2F6D6E742F6970616D2D636F6E6669672F636F6E6669672E6A736F6E002D2D656E61626C652D746C626D656D6265722D636F6E74726F6C6C65723D74727565002D2D746C626D656D6265722D776F726B
Sep 7 18:16:52 node-v88jz-11 audit[57547]: SYSCALL arch=c000003e syscall=281 success=yes exit=0 a0=3 a1=c001049800 a2=80 a3=0 items=0 ppid=57169 pid=57547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="admission-serve" exe="/admission-server" subj=? key=(null)
Sep 7 18:16:52 node-v88jz-11 audit[57547]: SYSCALL arch=c000003e syscall=281 success=yes exit=0 a0=3 a1=c001049800 a2=80 a3=0 items=0 ppid=57169 pid=57547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="admission-serve" exe="/admission-server" subj=? key=(null)
Sep 7 18:16:52 node-v88jz-11 audit[57923]: SYSCALL arch=c000003e syscall=202 success=yes exit=0 a0=c0047e2148 a1=80 a2=0 a3=0 items=0 ppid=60774 pid=57923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netd" exe="/netd" subj=? key=(null)
Sep 7 18:16:52 node-v88jz-11 audit[57923]: SYSCALL arch=c000003e syscall=202 success=yes exit=0 a0=c0047e2148 a1=80 a2=0 a3=0 items=0 ppid=60774 pid=57923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netd" exe="/netd" subj=? key=(null)
Sep 7 18:16:52 node-v88jz-11 audit: PROCTITLE proctitle=2F61646D697373696F6E2D736572766572002D2D61757468656E7469636174696F6E2D6B756265636F6E6669673D2F6574632F6170697365727665722F6167672D6B756265636F6E666967002D2D61757468656E7469636174696F6E2D736B69702D6C6F6F6B75703D74727565002D2D617574686F72697A6174696F6E2D6B75
I can think of a two things to check.
journald can receive audit events over multicast and log them. You can disable it with systemctl mask systemd-journald-audit.socket.
The kernel has a feature to optionally write messages using printk. You can control this with Auditbeat by adding failure_mode: silent (see docs). You can check the value with auditctl -s (from auditd) or auditbeat show auditd-status.
thanks andrewkroh, let me try that
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.