Alejandro
10/19/2020, 4:53 PM--audit_allow_config=true
--audit_persist=true
--disable_audit=false
--disable_distributed=false
--distributed_interval=10
--distributed_plugin=tls
--events_expiry=1
--events_max=500000
--logger_min_status=1
--logger_plugin=tls
--schedule_splay_percent=10
--disable_watchdog=false
--hash_delay=20
--pack_refresh_interval=3600
--table_delay=20
--watchdog_delay=120
--watchdog_level=1
--watchdog_memory_limit=200
theopolis
10/19/2020, 8:44 PM/proc/$PID/io
should have the read/write bytes. You wont know what the rate was at the time of the alert. I also do not know how accurate these will be. For example, do they include stats about the audit netlink pipe?Alejandro
10/20/2020, 11:50 AMwatcher.cpp:360] osqueryd worker (194852) stopping: Memory limits exceeded: 213448000
udev.cpp:90] udev monitor returned invalid device: No buffer space available
and now we are not getting any logs out to the tls logger (events column on the osquery_events
table has zero on all rows), and config_valid
is 0.osquery_schedule
logs we got into the SIEM did not indicate any of the schedule queries were added into a denylist.theopolis
10/20/2020, 12:02 PMAlejandro
10/20/2020, 12:51 PMtheopolis
10/20/2020, 5:23 PMAlejandro
10/21/2020, 9:05 AMconfig_valid
as 0, only comes when running it from osqueryi
and is not the case when I run the same command from Kolide. I guess this would be expected?systemctl mask --now systemd-journald-audit.socket
and that fixed the issue. Might be worth adding this to the documentation, happy to open a PR with this 🙂nyanshak
10/23/2020, 2:53 PMtheopolis
10/23/2020, 3:11 PMauditd
is regaining control of the netlink socket and not reconfiguring based on /etc/audit*
, (3) your disk is then taxed with the verbose amount of information audit writes.
I think we should update the documentation to recommend people disable the auditd
service via systemd.nyanshak
10/23/2020, 3:15 PMsystemd-journald
collects logging data from various sources including (from man pages):
audit records, originating from the kernel audit subsystem
should not be running when using osquery's process auditing, as it will conflict withauditd
over access to the audit netlink socket. You should also ensureosqueryd
is not configured to start at boot.auditd
Alejandro
10/26/2020, 11:28 AMtheopolis
10/26/2020, 10:14 PMAlejandro
10/28/2020, 3:56 PM