2

Since CoreOs 766, the auditing subsystem is partially integrated:

The audit subsystem has been enabled in the kernel and auditctl added to the image. Most audit events are ignored by default. The audit rules may be modified in /etc/audit/rules.d. Note that auditd is not included, journald is responsible for logging events instead although it is a best effort mechanism. Unlike with auditd based systems the kernel will not panic if journald fails to record an event for some reason.

I have tried the following in order to audit syscalls on both 899 and alpha 1000 CoreOs releases.

# starting a new periodic process:
$ while true; do echo "coreos ..." > /tmp/a.txt && sleep 5s; done &
[1] 4509

# get its pid and add a new audit rule:
$ sudo auditctl -a always,exit -F arch=b64 -S read,write,close,dup2,wait4 -F pid=4509

# wait 5 minutes and check if any audit related event was logged into by the journald:
$ journalctl | grep audit | wc
      0       0       0

Why can't I see any event that's logged by the journald?

The cn.ko is loaded properly and according the auditctl -l output the rule is set successfully. Though it looks like journald doesn't receive messages from the netlink interface.

I followed the following steps in order to enable debugging but it didn't give any hints either:

mkdir -p /etc/systemd/system/systemd-journald.service.d/

vim /etc/systemd/system/systemd-journald.service.d/10-debug.conf and filled it with following content:

[Service]
Environment=SYSTEMD_LOG_LEVEL=debug

And restart systemd-journald service:

systemctl daemon-reload
systemctl restart systemd-journald
dmesg | grep systemd-journald
Brian Redbeard
  • 369
  • 3
  • 13
0x90
  • 83
  • 8
  • 1
    I don't understand why you wouldn't ask this question of the CoreOS project directly https://coreos.com/community/. Especially as this is a new feature and people in business environments (our target audience) don't usually use bleeding edge releases. – user9517 Apr 10 '16 at 06:00
  • 1
    @Iain I _still_ don't know how or when CoreOS would make sense to use. – ewwhite Apr 11 '16 at 01:38

1 Answers1

5

CoreOS ships with a set of default rules and is designed to be configured via the filesystem in /etc/audit/rules.d/. As you are trying to play with it interactively what you will want to do is clear the audit rules first as there is a rule at /etc/audit/rules.d/99-default.rules that silences all remaining rules.

Simply run audit -D to clear the rules and then your interactively added rules should start working.

FWIW, the rule from 99-default.rules that is causing trouble is -a exclude,always -F msgtype>0.

Brandon Philips
  • 244
  • 1
  • 2
  • As with many of the `*.d` directories, the contents are loaded in lexical order. Using `99-` as the prefix ensures that rules can be easily added before (e.g. `00` through `98`) as well as be added afterwards (e.g. beginning with alphabetic characters). For more information as to *why* that rule has specific mechanics read the man pages for `audit.rules` and `auditctl`. – Brian Redbeard Apr 13 '16 at 06:31