lbernail/audit

## audit
Defaults in the description for ubuntu 1804

## A few commands

auditctl -e 0|1|2    # enable / disable (default: disabled, 1: enabled, 2: enabled and locked [changes require reboot])
auditctl -s|l      # status / list rules
audictl -D         # flush
auditctl -f        # failure mode (default: 1 => printk => kernel logs)

## journald audit socket
systemd file: systemd-journald-audit.socket

Enabled by default
"Multicast audit listener" using a netlink AUDIT socket: will not prevent kernel logging (only explicit listeners do)
   => default: double logging (journal + kernel) because failure mode = printk
More details here: https://github.com/linux-audit/audit-kernel/issues/102

## Logging disabled
apparmor doesn't check if audit is enabled and logs based on its config only:
https://www.suse.com/documentation/sles11/book_security/data/sec_audit_syscall.html

"Out of the box (without any further configuration) auditd logs only events concerning its own configuration changes to
/var/log/audit/audit.log. No events (file access, system call, etc.) are generated by the kernel audit component until
requested by auditctl. However, other kernel components and modules may log audit events outside of the control of auditctl
and these appear in the audit log. By default, the only module that generates audit events is AppArmor."

## Logging enabled
Even without any rule, many system components will log security events. A few examples:

Userland tools will use a netlink socket.
  sudo, for instance: https://github.com/millert/sudo/blob/master/plugins/sudoers/linux_audit.c#L65

List of programs currently using libaudit and potentially logging
  sudo lsof 2>/dev/null | grep /lib/x86_64-linux-gnu/libaudit.so.1

Message filtering (if audit is disabled) is done kernel side on the reception of netlink messages:
  https://github.com/torvalds/linux/blob/v4.20/kernel/audit.c#L1330

Kernel side, the filtering is explicit. Netfilter example:
  https://github.com/torvalds/linux/blob/v4.20/net/netfilter/x_tables.c#L1417

Audit kernel message types:
  https://github.com/torvalds/linux/blob/v5.0/include/uapi/linux/audit.h#L87

Audit userland message types:
  https://github.com/linux-audit/audit-userspace/blob/v2.8.5/lib/libaudit.h#L60
	Defaults in the description for ubuntu 1804

	## A few commands

	auditctl -e 0\|1\|2 # enable / disable (default: disabled, 1: enabled, 2: enabled and locked [changes require reboot])
	auditctl -s\|l # status / list rules
	audictl -D # flush
	auditctl -f # failure mode (default: 1 => printk => kernel logs)

	## journald audit socket
	systemd file: systemd-journald-audit.socket

	Enabled by default
	"Multicast audit listener" using a netlink AUDIT socket: will not prevent kernel logging (only explicit listeners do)
	=> default: double logging (journal + kernel) because failure mode = printk
	More details here: https://github.com/linux-audit/audit-kernel/issues/102

	## Logging disabled
	apparmor doesn't check if audit is enabled and logs based on its config only:
	https://www.suse.com/documentation/sles11/book_security/data/sec_audit_syscall.html

	"Out of the box (without any further configuration) auditd logs only events concerning its own configuration changes to
	/var/log/audit/audit.log. No events (file access, system call, etc.) are generated by the kernel audit component until
	requested by auditctl. However, other kernel components and modules may log audit events outside of the control of auditctl
	and these appear in the audit log. By default, the only module that generates audit events is AppArmor."

	## Logging enabled
	Even without any rule, many system components will log security events. A few examples:

	Userland tools will use a netlink socket.
	sudo, for instance: https://github.com/millert/sudo/blob/master/plugins/sudoers/linux_audit.c#L65

	List of programs currently using libaudit and potentially logging
	sudo lsof 2>/dev/null \| grep /lib/x86_64-linux-gnu/libaudit.so.1

	Message filtering (if audit is disabled) is done kernel side on the reception of netlink messages:
	https://github.com/torvalds/linux/blob/v4.20/kernel/audit.c#L1330

	Kernel side, the filtering is explicit. Netfilter example:
	https://github.com/torvalds/linux/blob/v4.20/net/netfilter/x_tables.c#L1417

	Audit kernel message types:
	https://github.com/torvalds/linux/blob/v5.0/include/uapi/linux/audit.h#L87

	Audit userland message types:
	https://github.com/linux-audit/audit-userspace/blob/v2.8.5/lib/libaudit.h#L60