FAQ: Workaround for the Known Linux Limitation with auditd

There is a known Linux issue where the default auditd process only allows one connection for audit socket control. As a result, any applications that use auditd conflict with the Threat Stack Agent over access to socket control. This can cause customer issues for several reasons:

  • The customer uses non-Threat Stack audit rules to process logs.
  • The customer sends all logs to an SIEM or other log aggregator.
  • The customer deploys non-Threat Stack agents that need access to auditd data.

Workaround

Enable raw_log for the Threat Stack Agent. The raw_log outputs all logging from tsauditd to log files. Those log files are then stored in two locations:

  • Threat Stack tsaudit.log
  • The OS's defined auditd log in /var/log/, through which all other applications can access auditd data, thus preventing the audit socket control conflict.

Note

tsauditd logs contain far more information than the standard tsaudit logs.

Agent 1.x Series

To enable raw_log for the Threat Stack Agent 1.x:

  1. Navigate to /opt/threatstack/etc/.
  2. In your text editor of choice, open the audit.config.json file.
  3. In "raw_log":, at the same depth as filter, nnsleep, and noop, add the following:
    "/opt/threatstack/cloudsight/logs/tsaudit-raw.log"

    For an example, see below.

  4. Restart the Threat Stack Agent with the following command:
    sudo cloudsight restart
  5. On the OS, disable auditd.
  6. Point any application that needs access to auditd data to the raw event stream, in this case /opt/threatstack/cloudsight/logs/tsaudit-raw.log. This prevents non-Threat Stack applications from subscribing to the audit socket and causing conflicts with the Threat Stack Agent.

Example of raw_log enabled for the Threat Stack Agent:

{

"threatstack": {

"auditd": {

"cpumon": {

"inc-by": 300,

"dec-by": 50,

"avg-after": 5,

"ival-sec": 1,

"ival-usec": 0

},

"extra-netinfo": true,

"max-eoe-flush": 100,

"noop": 3,

"nnsleep": 1,

"raw_log":"/opt/threatstack/cloudsight/logs/tsaudit-raw.log",

"filter": "/opt/threatstack/etc/tsauditd.lua",

raw_log Name Rotation

The raw_log naming convention rotates between the name provided in audit.config.json (in the example above, tsaudit-raw.log) and the name with a ".1" appended (using the example above, tsaudit-raw.log.1).

Note

Threat Stack renames tsaudit-raw.log to tsaudit-raw.log.1 and then creates a new tsaudit-raw.log file with new content.

Agent 2.x Series

To enable raw_log for the Threat Stack Agent 2.x:

  1. Navigate to /opt/threatstack/etc/.
  2. Locate the tsauditd-custom.cfg file. If the file does not exist, then you need to create one.
    • Copy the contents of the tsauditd.cfg file into a newly-created tsauditd-custom.cfg file.
  3. In your text editor of choice, open the tsauditd-custom.cfg file.
  4. Add the "raw_log" field at the same depth as filter, nnsleep, and noop. Its value is as follows:
    "/opt/threatstack/log/tsaudit-raw.log"

    For an example, see below.

  5. Restart the Threat Stack Agent with the following command:
    sudo systemctl restart threatstack
  6. On the OS, disable auditd.
  7. Point any application that needs access to auditd data to the raw event stream, in this case /opt/threatstack/log/tsaudit-raw.log. This prevents non-Threat Stack applications from subscribing to the audit socket and causing conflicts with the Threat Stack Agent.

Example of raw_log enabled for the Threat Stack Agent:

{

"threatstack": {

"auditd": {

"extra-netinfo": false,

"max-eoe-flush": 100,

"noop": 3,

"nnsleep": 1,

"raw_log":"/opt/threatstack/log/tsaudit-raw.log",

"filter": "/opt/threatstack/etc/tsauditd.lua",

"cpumon": {

"max_rlim": 50000,

"min_rlim": 1000,

"inc-by": 300,

"dec-by": 50,

"ival-sec": 1,

"ival-usec": 0,

"avg-after": 5,

"max-cpu": 40,

"enabled": true },
"processors": [

{
"output": {

"config": {},

"type": "stdout",

"enable-noop": true
}
}

]

}

}

}
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request