Multiple "-module: auditd" stanzas in config file lead to problems

A user of mine took a provided auditbeat.yml config file and converted it into something that included:

  - module: auditd
    enabled: true
    audit_rules: "-a always,exit -F arch=b32 -S all -k 32bit-abi"
    user.detect_password_changes: false
    scan_at_start: false
    recursive: true
  - module: auditd
    enabled: true
    audit_rules: "-a always,exit -F arch=b64 -S execve,execveat -k exec"
    user.detect_password_changes: false
    scan_at_start: false
    recursive: true

If you start auditbeat using this, you'll see output along these lines from auditbeat show auditd-status:

enabled 1
failure 0
pid 0
rate_limit 0
backlog_limit 8192
lost 381
backlog 0
backlog_wait_time 0
features 0xf

The pid value is 0. To the kernel, that means there is no user-space audit listener. When the linux kernel sees a pid value of 0 here and auditing is still enabled, it will printk the audit record into the kernel message buffer leading to journald spamming various logs in /var/log.

It looks to me like auditbeat is trying to instantiate two modules:

2021...	INFO	instance/beat.go:299	Setup Beat: auditbeat; Version: 7.10.2
2021...	INFO	[publisher]	pipeline/module.go:113	Beat name: dca1-security-prod-intel01
2021...	INFO	[auditd]	auditd/audit_linux.go:106	auditd module is running as euid=0 on kernel=4.9.0-16-amd64
2021...	INFO	[auditd]	auditd/audit_linux.go:133	socket_type=unicast will be used.
2021...	INFO	[auditd]	auditd/audit_linux.go:106	auditd module is running as euid=0 on kernel=4.9.0-16-amd64
2021...	INFO	[auditd]	auditd/audit_linux.go:133	socket_type=unicast will be used.

The second instantiation steps on the first leading to pid == 0.

I don't think this is what is expected. Either it is a syntax error to have two "module: auditd" clauses, or auditbeat should cleanly have the second clause supersede the first or both should be able to happily coexist.

Worth a bug report?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.