Title
#general
a

Artem

04/14/2021, 1:49 PM
Hi! When i try FIM in osquery in logs i see
auditdnetlink.cpp:647] Failed to set the netlink owner
But, i don't have auditd in my OS. This is my conf
"options": {
    "audit_allow_config": "true",
    "audit_allow_fim_events": "true",
    "audit_allow_sockets": "true",
    "audit_fim_show_accesses": "true",
    "enable_file_events": "true",
    "disable_events": "false",
    "audit_persist": "false",
    "disable_audit": "false",
    "audit_allow_process_events": "true",
    "pack_delimiter": "/",
    "config_plugin": "filesystem"
  },
Whai is my error? could anyone help pls?
Mike Myers

Mike Myers

04/14/2021, 3:36 PM
Could there be anything else using the Audit subsystem? Is osquery running as root?
a

Artem

04/14/2021, 3:39 PM
Yes, run as root. How can I see what other programms used Audit subsystem?
Mike Myers

Mike Myers

04/14/2021, 3:41 PM
Normally it's
auditd
using it, but I don't know how to check this exactly. @alessandrogario do you know a way?
3:42 PM
Which version of Linux is it?
a

alessandrogario

04/14/2021, 3:43 PM
also not sure if it could be related to SELinux or AppArmor
a

Artem

04/14/2021, 3:44 PM
4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Mike Myers

Mike Myers

04/14/2021, 3:44 PM
It's possible that the kernel was compiled without Audit? But if it's generic Ubuntu then that's probably not the case
a

alessandrogario

04/14/2021, 3:46 PM
can you try to add --verbose and report here the messages?
3:46 PM
also
ps aux | grep audit
should only show the kernel service
Mike Myers

Mike Myers

04/14/2021, 3:47 PM
It seems that osquery must've seen the Audit subsystem if it gets to this line https://github.com/osquery/osquery/blob/59500018df6d23e6c00e1def8d4aa34fc92a9d3d/osquery/events/linux/auditdnetlink.cpp#L651 (am I wrong? It would have to have called
audit_open
successfully)
a

Artem

04/14/2021, 3:56 PM
I0414 18:51:54.292611  7985 auditdnetlink.cpp:329] Attempting to configure the audit service
I0414 18:51:54.292675 7985 auditdnetlink.cpp:357] Enabling audit rules for the process_events (execve, execveat) table I0414 18:51:54.292701 7985 auditdnetlink.cpp:384] Enabling audit rules for the process_file_events table
3:59 PM
i found osqueryd daemon in backgorund, kill it and my osqueryi is worked. Process_file_events is enabled. But, when I change /etc/hosts from FIM modules, I see this error in verbose log
E0414 18:53:11.438526  7970 eventsubscriberplugin.cpp:644] Found 43 invalid events (43 have been successfully erased)
I see records in process_events tables. But process_file_events is empty, why?(((
4:10 PM
@alessandrogario @Mike Myers Did you see such type of error?
Mike Myers

Mike Myers

04/14/2021, 4:10 PM
Personally I've never seen that one but I don't use that table either
4:15 PM
I don't know what makes an audit record invalid, but it seems related to retrieving it from the database
5:04 PM
Maybe you had an old database, and it held events that could no longer be parsed in the current format?
5:04 PM
did it keep doing that?
a

Artem

04/14/2021, 8:21 PM
yes, when i restart osqueryi the number of invalid events is reset to zero
7:27 AM
@alessandrogario Do you know why this errror appears?
a

alessandrogario

04/15/2021, 7:35 AM
can you try with a new database? i thought Mike's suggestion was likely the cause
a

Artem

04/15/2021, 7:44 AM
how could i erase my database?
8:15 AM
i clear folder osquery.db, then start osqueryi with --disable_database, but i see this error((