https://github.com/osquery/osquery logo
Powered by
Title
a

Artem

04/14/2021, 1:49 PM
Hi! When i try FIM in osquery in logs i see 
auditdnetlink.cpp:647] Failed to set the netlink owner
But, i don't have auditd in my OS. This is my conf 
"options": {
    "audit_allow_config": "true",
    "audit_allow_fim_events": "true",
    "audit_allow_sockets": "true",
    "audit_fim_show_accesses": "true",
    "enable_file_events": "true",
    "disable_events": "false",
    "audit_persist": "false",
    "disable_audit": "false",
    "audit_allow_process_events": "true",
    "pack_delimiter": "/",
    "config_plugin": "filesystem"
  },
Whai is my error? could anyone help pls?
m

Mike Myers

04/14/2021, 3:36 PM
Could there be anything else using the Audit subsystem? Is osquery running as root?
👍 1
a

Artem

04/14/2021, 3:39 PM
Yes, run as root. How can I see what other programms used Audit subsystem?
m

Mike Myers

04/14/2021, 3:41 PM
Normally it's 
auditd
using it, but I don't know how to check this exactly. @alessandrogario do you know a way?
Which version of Linux is it?
a

alessandrogario

04/14/2021, 3:43 PM
also not sure if it could be related to SELinux or AppArmor
a

Artem

04/14/2021, 3:44 PM
4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
m

Mike Myers

04/14/2021, 3:44 PM
It's possible that the kernel was compiled without Audit? But if it's generic Ubuntu then that's probably not the case
a

alessandrogario

04/14/2021, 3:46 PM
can you try to add --verbose and report here the messages?
also 
ps aux | grep audit
should only show the kernel service
m

Mike Myers

04/14/2021, 3:47 PM
It seems that osquery must've seen the Audit subsystem if it gets to this line https://github.com/osquery/osquery/blob/59500018df6d23e6c00e1def8d4aa34fc92a9d3d/osquery/events/linux/auditdnetlink.cpp#L651 (am I wrong? It would have to have called 
audit_open
successfully)
a

Artem

04/14/2021, 3:56 PM
I0414 18:51:54.292611  7985 auditdnetlink.cpp:329] Attempting to configure the audit service
I0414 18:51:54.292675 7985 auditdnetlink.cpp:357] Enabling audit rules for the process_events (execve, execveat) table I0414 18:51:54.292701 7985 auditdnetlink.cpp:384] Enabling audit rules for the process_file_events table
i found osqueryd daemon in backgorund, kill it and my osqueryi is worked. Process_file_events is enabled. But, when I change /etc/hosts from FIM modules, I see this error in verbose log 
E0414 18:53:11.438526  7970 eventsubscriberplugin.cpp:644] Found 43 invalid events (43 have been successfully erased)
I see records in process_events tables. But process_file_events is empty, why?(((
@alessandrogario @Mike Myers Did you see such type of error?
m

Mike Myers

04/14/2021, 4:10 PM
Personally I've never seen that one but I don't use that table either
🥲 1
This line of code is #659 in the latest https://github.com/osquery/osquery/blob/d07f85c908c4ba6ac80c25d182a2f3f44c2d0206/osquery/events/eventsubscriberplugin.cpp#L659
I don't know what makes an audit record invalid, but it seems related to retrieving it from the database
Maybe you had an old database, and it held events that could no longer be parsed in the current format?
did it keep doing that?
a

Artem

04/14/2021, 8:21 PM
yes, when i restart osqueryi the number of invalid events is reset to zero
@alessandrogario Do you know why this errror appears?
a

alessandrogario

04/15/2021, 7:35 AM
can you try with a new database? i thought Mike's suggestion was likely the cause
a

Artem

04/15/2021, 7:44 AM
how could i erase my database?
i clear folder osquery.db, then start osqueryi with --disable_database, but i see this error((
17 Views
#generalJoin Slack
Powered by