lbernail · June 13, 2019 09:01
diff --git a/audit b/audit
 Defaults in the description for ubuntu 1804

 ## A few commands

 auditctl -e 0|1|2    # enable / disable (default: disabled, 1: enabled, 2: enabled and locked [changes require reboot])
 auditctl -s|l      # status / list rules
 audictl -D         # flush
 auditctl -f        # failure mode (default: 1 => printk => kernel logs)

 ## journald audit socket
 systemd file: systemd-journald-audit.socket

 Enabled by default
 "Multicast audit listener" using a netlink AUDIT socket: will not prevent kernel logging (only explicit listeners do)
   => default: double logging (journal + kernel) because failure mode = printk
 More details here: https://github.com/linux-audit/audit-kernel/issues/102

 ## Logging disabled
 apparmor doesn't check if audit is enabled and logs based on its config only:
 https://www.suse.com/documentation/sles11/book_security/data/sec_audit_syscall.html

 "Out of the box (without any further configuration) auditd logs only events concerning its own configuration changes to 
 /var/log/audit/audit.log. No events (file access, system call, etc.) are generated by the kernel audit component until 
 requested by auditctl. However, other kernel components and modules may log audit events outside of the control of auditctl 
 and these appear in the audit log. By default, the only module that generates audit events is AppArmor."

 ## Logging enabled
 Even without any rule, many system components will log security events. A few examples:

 Userland tools will use a netlink socket.
  sudo, for instance: https://github.com/millert/sudo/blob/master/plugins/sudoers/linux_audit.c#L65
  
 List of programs currently using libaudit and potentially logging
  sudo lsof 2>/dev/null | grep /lib/x86_64-linux-gnu/libaudit.so.1
  
 Message filtering (if audit is disabled) is done kernel side on the reception of netlink messages: 
  https://github.com/torvalds/linux/blob/v4.20/kernel/audit.c#L1330

 Kernel side, the filtering is explicit. Netfilter example:
  https://github.com/torvalds/linux/blob/v4.20/net/netfilter/x_tables.c#L1417
  
 Audit kernel message types:
  https://github.com/torvalds/linux/blob/v5.0/include/uapi/linux/audit.h#L87

 Audit userland message types:
  https://github.com/linux-audit/audit-userspace/blob/v2.8.5/lib/libaudit.h#L60
	Defaults in the description for ubuntu 1804

	## A few commands

	auditctl -e 0\|1\|2 # enable / disable (default: disabled, 1: enabled, 2: enabled and locked [changes require reboot])
	auditctl -s\|l # status / list rules
	audictl -D # flush
	auditctl -f # failure mode (default: 1 => printk => kernel logs)

	## journald audit socket
	systemd file: systemd-journald-audit.socket

	Enabled by default
	"Multicast audit listener" using a netlink AUDIT socket: will not prevent kernel logging (only explicit listeners do)
	=> default: double logging (journal + kernel) because failure mode = printk
	More details here: https://github.com/linux-audit/audit-kernel/issues/102

	## Logging disabled
	apparmor doesn't check if audit is enabled and logs based on its config only:
	https://www.suse.com/documentation/sles11/book_security/data/sec_audit_syscall.html

	"Out of the box (without any further configuration) auditd logs only events concerning its own configuration changes to
	/var/log/audit/audit.log. No events (file access, system call, etc.) are generated by the kernel audit component until
	requested by auditctl. However, other kernel components and modules may log audit events outside of the control of auditctl
	and these appear in the audit log. By default, the only module that generates audit events is AppArmor."

	## Logging enabled
	Even without any rule, many system components will log security events. A few examples:

	Userland tools will use a netlink socket.
	sudo, for instance: https://github.com/millert/sudo/blob/master/plugins/sudoers/linux_audit.c#L65

	List of programs currently using libaudit and potentially logging
	sudo lsof 2>/dev/null \| grep /lib/x86_64-linux-gnu/libaudit.so.1

	Message filtering (if audit is disabled) is done kernel side on the reception of netlink messages:
	https://github.com/torvalds/linux/blob/v4.20/kernel/audit.c#L1330

	Kernel side, the filtering is explicit. Netfilter example:
	https://github.com/torvalds/linux/blob/v4.20/net/netfilter/x_tables.c#L1417

	Audit kernel message types:
	https://github.com/torvalds/linux/blob/v5.0/include/uapi/linux/audit.h#L87

	Audit userland message types:
	https://github.com/linux-audit/audit-userspace/blob/v2.8.5/lib/libaudit.h#L60