Re: Audit reporting Invalid argument

From: Steve Grubb <sgrubb@redhat.com>
To: "Bhagwat, Shriniketan Manjunath" <shriniketan.bhagwat@hpe.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Audit reporting Invalid argument
Date: Mon, 13 Jun 2016 11:01:06 -0400	[thread overview]
Message-ID: <3850158.qFrFSIuG4S@x2> (raw)
In-Reply-To: <8FC6AD31395616439ECBCD98E071A87F4BF3F544@G4W3296.americas.hpqcorp.net>

On Monday, June 13, 2016 08:15:36 AM Bhagwat, Shriniketan Manjunath wrote:
> Hi,
> 
> Is it possible to start and stop the user written audit plug-in while auditd
> and audispd running? As I understand, audispd is started by auditd. Audispd
> starts the user plug-in program using their configuration files present in
> /etc/audisp/plugins.d directory. Auditd and user plug-in are started and
> stopped as part of auditd startup and stop. Is it possible to start the
> user plug-in after the auditd is started and stop the user plug-in before
> the auditd is stopped?

There is nothing that prevents you from sending a SIGTERM to the plugin if you 
are root. The plugin will be restarted when the next event arrives to audispd.

-Steve

> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 16, 2016 6:24 PM
> To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Cc: linux-audit@redhat.com
> Subject: Re: Audit reporting Invalid argument
> 
> On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > > Not today. The check for uid 0 is a poor man's check for
> > > CAP_AUDIT_CONTROL
> > 
> > Are there any future plans to support enabling audit from non root
> > user using CAP_AUDIT_CONTROL?
> 
> You are the only person who has asked for it. I suppose it can be done in a
> couple lines of code. But you still have the permissions of the directories
> that hold the rules to correct. Easy to fix, but I think you might be
> fighting the distribution's package manager which would set things back to
> root every update.
> > Regarding suppression of events, I will do some testing and let you
> > know later.
> > 
> > Is there a way I can avoid default logging of the audit events to
> > /var/log/audit/audit.log?
> 
> If you have an old copy old the audit system (2.5.1 or earlier) then use
> log_format = NOLOG. If you have a current copy, then use write_logs = no.
> 
> -Steve
> 
> > I do not want audit to log audit events to audit.log, however I will
> > capture them using my plug-in. Is there a way I can accomplish this? I
> > tried to commenting the log_file filed from auditd.conf, however the
> > events are still written to audit.log. I think below code from
> > auditd-config.c is causing audit to write to audit.log
> > 
> > config->log_file = strdup("/var/log/audit/audit.log");