linux - Auditd 在 audit.log 中显示重复行

Question

我遇到了一个问题，auditd 似乎将同一消息记录了两次，例如，请参见以下内容:

type=EXECVE msg=audit(1495742109.857:90234552): argc=1 a0="/bin/bash"
type=EXECVE msg=audit(1495742109.857:90234552): argc=1 a0="/bin/bash"

这里是相关的配置:

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = incremental
freq = 20
num_logs = 3
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = none
name = lga-tag06
max_log_file = 1024
max_log_file_action = rotate
space_left = 75
space_left_action = syslog
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = suspend
disk_full_action = suspend
disk_error_action = suspend
tcp_listen_queue = 5

tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd

及相关规则:

# Default Rule - Delete ALL
-D
enter code here
# Set Buffer size - increase for Busy Systems
-b 8192
enter code here
# Puppet Managed Custom rules begin here:
-b 320
-D
-a exclude,never -F msgtype=PATH 
-a exclude,never -F msgtype=BPRM_FCAPS 
-a exclude,never -F msgtype=CRED_DISP
-a exit,always -F arch=b32 -F euid>=0 -S execve
-a exit,always -F arch=b64 -F euid>=0 -S execve

想知道是否有人以前看过这个或有任何建议？

Answer 1

我不能肯定地说，但在您将我要求的评论信息添加到您的问题之前，我将提供以下信息:

Note / Update: This extends to the bounty. Although the comment regarding the extra lines doesn't apply, the remaining questions about distribution and versions do.

您可能遇到了 red hat's tracker 中报告的错误在systemd github ，其中指出 auditd 和 systemd 的 journald 之间存在问题。

建议的解决方案是禁用日志的审计支持:

systemctl mask systemd-journald-audit.socket

在尝试之前，请阅读上面的链接问题并采取所有必要的考虑因素。