auditbeat: Warn if auditd is running by adriansr · Pull Request #6023 · elastic/beats

adriansr · 2018-01-09T03:03:56Z

Detect initialization failures for the auditd module:

When another process is already set as the audit process (auditd already running). This error is reported.
If rules are locked, prints a warning message and does not attempt to add its own rules (This implies auditd is running).

Closes #5845 and #6019

ruflin · 2018-01-09T03:10:29Z

@adriansr Seems to have a conflict.

andrewkroh

LGTM.

andrewkroh · 2018-01-09T15:37:07Z

auditbeat/module/auditd/audit_linux.go

Can you push the error to the reporter for this case (like we do at https://github.com/elastic/beats/pull/6023/files#diff-a3559204e3ac05aabc310b7b3dfd90e3R120). As an operator I'd like to see this type of information reported in Elasticsearch.

andrewkroh · 2018-01-09T15:43:28Z

auditbeat/module/auditd/audit_linux.go

Thought of one more thing. 😄
If the audit config is locked, will any of the above config changes result in a failure?

Yes, currently this is failing either in this line or the SetPID below.

I think we need to handle configuration locking differently as it will only work with a multicast socket. See this comment I left on the issue.

Detect failures When Auditbeat is installed as audit process by setting the PID field in the AuditStatus structure. This usually means another process is already set as the audit process.

The audit rules can be locked (enabled=2) so that further changes are not possible. Skip rule configuration if this is the case, displaying a warning message if rules are set in the configuration.

houndci-bot · 2018-01-14T15:10:48Z

auditbeat/module/auditd/audit_linux.go

if block ends with a return statement, so drop this else and outdent its block

andrewkroh

LGTM. Is this one still "in progress" (per the label)?

andrewkroh · 2018-01-16T07:51:08Z

auditbeat/module/auditd/audit_linux.go

Do you think we should log this message too?

Nope. I wasn't sure which one did you want to be reported in your first comment.

andrewkroh · 2018-01-16T08:02:27Z

auditbeat/module/auditd/audit_linux.go

Nit - Move the space to the previous line for consistency?

andrewkroh · 2018-01-16T08:04:21Z

auditbeat/module/auditd/audit_linux.go

I like the logic change here. It's deterministic now if the user specifies a socket_type.

Closes elastic#6019

ruflin added the Auditbeat label Jan 9, 2018

adriansr force-pushed the feature/ab/audit_pid branch from d13d0f0 to ceafea5 Compare January 9, 2018 05:29

adriansr changed the title ~~auditbeat: Warn if auditd is running (#5845)~~ auditbeat: Warn if auditd is running Jan 9, 2018

adriansr force-pushed the feature/ab/audit_pid branch 3 times, most recently from 774f290 to 1e8dee7 Compare January 9, 2018 12:04

adriansr added the review label Jan 9, 2018

andrewkroh reviewed Jan 9, 2018

View reviewed changes

adriansr added the in progress Pull request is currently in progress. label Jan 10, 2018

adriansr added 3 commits January 14, 2018 20:30

Update vendored go-libaudit from v0.0.6 to master

94219fa

Auditbeat: Detect SetPID failure

c163873

Detect failures When Auditbeat is installed as audit process by setting the PID field in the AuditStatus structure. This usually means another process is already set as the audit process.

Auditbeat: Don't set rules if audit status is locked

88aa42a

The audit rules can be locked (enabled=2) so that further changes are not possible. Skip rule configuration if this is the case, displaying a warning message if rules are set in the configuration.

adriansr force-pushed the feature/ab/audit_pid branch from 1e8dee7 to 1e79add Compare January 14, 2018 15:10

houndci-bot reviewed Jan 14, 2018

View reviewed changes

adriansr force-pushed the feature/ab/audit_pid branch from 1e79add to 5f9bc53 Compare January 16, 2018 07:13

andrewkroh approved these changes Jan 16, 2018

View reviewed changes

adriansr added 2 commits January 16, 2018 18:34

Auditbeat: Fail unicast configuration if audit locked

5b876af

Closes elastic#6019

Report errors when adding rules

0aec242

adriansr force-pushed the feature/ab/audit_pid branch from 5f9bc53 to 0aec242 Compare January 16, 2018 11:34

adriansr removed the in progress Pull request is currently in progress. label Jan 16, 2018

andrewkroh merged commit 91fcb93 into elastic:master Jan 16, 2018

andrewkroh mentioned this pull request Jan 17, 2018

Auditbeat initialization error #6091

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

auditbeat: Warn if auditd is running#6023

auditbeat: Warn if auditd is running#6023
andrewkroh merged 5 commits intoelastic:masterfrom
adriansr:feature/ab/audit_pid

adriansr commented Jan 9, 2018 •

edited

Loading

Uh oh!

ruflin commented Jan 9, 2018

Uh oh!

andrewkroh left a comment

Uh oh!

andrewkroh Jan 9, 2018

Uh oh!

andrewkroh Jan 9, 2018

Uh oh!

adriansr Jan 10, 2018

Uh oh!

houndci-bot Jan 14, 2018

Uh oh!

andrewkroh left a comment

Uh oh!

andrewkroh Jan 16, 2018

Uh oh!

adriansr Jan 16, 2018

Uh oh!

andrewkroh Jan 16, 2018

Uh oh!

andrewkroh Jan 16, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

adriansr commented Jan 9, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ruflin commented Jan 9, 2018

Uh oh!

andrewkroh left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

andrewkroh left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

adriansr commented Jan 9, 2018 •

edited

Loading