"type":1305 AUDIT_CONFIG_CHANGE log noise #82
Description
- [x ] I've read and understood the Contributing guidelines and have done my best effort to follow them.
- [x ] I've read and agree to the Code of Conduct.
- [x ] I've searched for any related issues and avoided creating a duplicate issue.
Description
When I run go-audit it logs AUDIT_CONFIG_CHANGE messages every few seconds. Any idea why this is happening? I don't see this when running ordinary auditd.
Reproducible in:
go-audit version: dev+20200629015509
I also tried with version 1.00 and got the same result.
OS version(s): Ubuntu 20.04 LTS
kernel 5.4.0-39-generic
go v1.13.8
Steps to reproduce:
- go-audit /etc/example.yaml
example.yaml is an umodified copy of go-audit.yaml.example
Expected result:
e.g. What you expected to happen
No AUDIT_CONFIG_CHANGE messages.
A similar volume of messages as when I run auditd with the same rules.
Actual result:
{"sequence":904,"timestamp":"1593402441.566","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":905,"timestamp":"1593402446.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":906,"timestamp":"1593402451.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}