auditbeat: Warn if auditd is running #6023
Conversation
|
@adriansr Seems to have a conflict. |
adriansr
force-pushed
the
feature/ab/audit_pid
branch
from
d13d0f0 to
ceafea5
Compare
adriansr
changed the title
adriansr
force-pushed
the
feature/ab/audit_pid
branch
3 times, most recently
from
774f290 to
1e8dee7
Compare
| return errors.Wrap(err, "failed to get audit status before adding rules") | ||
| } | ||
| if status.Enabled == auditLocked { | ||
| ms.log.Warn("Skipping rule configuration: Audit rules are locked") |
There was a problem hiding this comment.
Can you push the error to the reporter for this case (like we do at https://github.com/elastic/beats/pull/6023/files#diff-a3559204e3ac05aabc310b7b3dfd90e3R120). As an operator I'd like to see this type of information reported in Elasticsearch.
|
|
||
| if err := ms.client.SetPID(libaudit.NoWait); err != nil { | ||
| return errors.Wrap(err, "failed to set audit PID") | ||
| if err := ms.client.WaitForPendingACKs(); err != nil { |
There was a problem hiding this comment.
Thought of one more thing. 😄
If the audit config is locked, will any of the above config changes result in a failure?
There was a problem hiding this comment.
Yes, currently this is failing either in this line or the SetPID below.
I think we need to handle configuration locking differently as it will only work with a multicast socket. See this comment I left on the issue.
Detect failures When Auditbeat is installed as audit process by setting the PID field in the AuditStatus structure. This usually means another process is already set as the audit process.
The audit rules can be locked (enabled=2) so that further changes are not possible. Skip rule configuration if this is the case, displaying a warning message if rules are set in the configuration.
adriansr
force-pushed
the
feature/ab/audit_pid
branch
from
1e8dee7 to
1e79add
Compare
| return multicast, nil | ||
| } | ||
| return unicast, nil | ||
| } else { |
There was a problem hiding this comment.
if block ends with a return statement, so drop this else and outdent its block
adriansr
force-pushed
the
feature/ab/audit_pid
branch
from
1e79add to
5f9bc53
Compare
| return err | ||
| } | ||
| if status.Enabled == auditLocked { | ||
| reporter.Error(errors.New("Skipping rule configuration: Audit rules are locked")) |
There was a problem hiding this comment.
Do you think we should log this message too?
There was a problem hiding this comment.
Nope. I wasn't sure which one did you want to be reported in your first comment.
| } | ||
| if isLocked { | ||
| log.Errorf("Cannot continue: audit configuration is locked" + | ||
| " in the kernel (enabled=2) which prevents using unicast " + |
There was a problem hiding this comment.
Nit - Move the space to the previous line for consistency?
| hasMulticast := hasMulticastSupport() | ||
| hasRules := len(rules) > 0 | ||
|
|
||
| const useAutodetect = "Remove the socket_type option to have auditbeat " + |
There was a problem hiding this comment.
I like the logic change here. It's deterministic now if the user specifies a socket_type.
adriansr
force-pushed
the
feature/ab/audit_pid
branch
from
5f9bc53 to
0aec242
Compare
Detect initialization failures for the auditd module:
Closes #5845 and #6019