How to configure Auditbeat to panic the kernel if auditing fails

Greetings all!

We have a small Elastic Stack used for security-relevant event collection in a standalone Red Hat Enterprise Linux 7.4 & 7.6 modeling & simulation enclave. The Stack is just four Elasticsearch nodes, a Kibana node, and a Logstash node (everything version 7.3). Events are collected from enclave systems by Auditbeat and shipped to Logstash.

We have a requirement to, if at all possible, configure systems to halt if they are unable to log auditable events, or in this case send those events to a central auditing system (our Elastic Stack). I was thinking configuring a test machine's (RHEL 7.6) Auditbeat's auditd module with "failure_mode: panic" would do so, but I turned off Logstash yesterday afternoon and my test box is still running. I believe the relevant lines from my auditbeat.yml are:

- module: auditd
   failure_mode: panic
   backlog_limit: 2
   backpressure_strategy: none

The backlog_limit is ridiculously low because I'm deliberately trying to trigger a kernel panic to test, but as noted above so far that hasn't happened. My questions, then:

  1. Can I actually configure Auditbeat 7.3 to panic a RHEL 7.6 kernel and halt the system?

  2. If so, am I on the right track with the configuration settings noted above, or am I missing something?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.