nyanshak
04/30/2020, 9:32 PM<some_timestamp>.crash_recovery
log files in /var/audit
.
When the audit system crashes, osquery stops receiving events from process_events
table.
When the system is restarted, process_events
will start going through again, since the audit subsystem is restarted.
1. (for a temporary fix) Is there a way to make the audit subsystem recover without rebooting the machine? The man audit
suggests you should be able to do sudo audit -i
to reinitialize the system. However, on doing this - it doesn't clear out the crash_recovery file, and process_events don't actually start getting processed again, including after restarting osquery.
2. (troubleshooting) Are there any good tools that can parse the audit binary log files? Trying to see if I can find any meaningful leads on why it crashed.
3. Has anyone else run into this and have any suggestions?theopolis
05/01/2020, 12:42 AMterracatta
05/01/2020, 12:45 AMaudit_control
file also has not been modified since the OS was first installed earlier this yearbillcobbler
05/01/2020, 2:09 AM.not_terminated
file, but log volume is severely reduced and with only events values of:
• SecSrvr AuthEngine
• user authentication
Examples of those two events with user info redacted:
<record version="11" event="user authentication" modifier="0" time="Thu Apr 30 16:28:19 2020" msec=" + 158 msec" >
<subject audit-uid="502" uid="502" gid="20" ruid="502" rgid="20" pid="11031" sid="100011" tid="2686386 0.0.0.0" />
<text>Verify password for record type Users 'user1' node '/Local/Default'</text>
<return errval="failure: Unknown error: 255" retval="5000" />
<identity signer-type="1" signing-id="com.apple.opendirectoryd" signing-id-truncated="no" team-id="" team-id-truncated="no" cdhash="0x1f5920de3532b6fae4f8050f2c7f507b5bbe838a" />
</record>
<record version="11" event="SecSrvr AuthEngine" modifier="0" time="Thu Apr 30 17:22:08 2020" msec=" + 661 msec" >
<subject audit-uid="-1" uid="0" gid="0" ruid="0" rgid="0" pid="16775" sid="100000" tid="2701830 0.0.0.0" />
<text>begin evaluation</text>
<return errval="success" retval="0" />
<identity signer-type="1" signing-id="com.apple.authd" signing-id-truncated="no" team-id="" team-id-truncated="no" cdhash="0xda52fe385f41ebc0f7fb14140bea0dfc97ac5644" />
</record>
nyanshak
05/01/2020, 2:51 PMterracatta
05/06/2020, 11:59 PMnyanshak
05/07/2020, 2:30 AM/var/audit/*.crash_recovery
files? Or something else?terracatta
05/07/2020, 2:34 AMLikeÂYes/var/audit/*.crash_recovery
nyanshak
05/07/2020, 2:35 AM