Replacing auditd with go-audit

Question

Replacing auditd with go-audit

jpfreyen opened this issue 5 years ago · 1 comments

I had a more fundamental question. I was playing with go-audit in Centos7. If go-audit is supposed to be a replacement for auditd, is it possible to stop auditd on the distro, and even possibly remove it all together? I ask this because when I tried, I got the following error:

[root@CyCentos myuser]# systemctl stop auditd
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details

I would be concerned running auditd and go-audit together on the same system would be a performance bottleneck.

Thanks! I could pull the repo and document the answer you provided if you want.

Answer 1 · 2019-10-11T04:29:07.000Z

Partially yes, we require the auditctl userspace counterpart to load rules since they do a great job keeping up with syscall ids and kernel versions. Some modern distros (running systemd) can mux the netlink socket used to receive events from the kernel but this will just double your log volume and consume more CPU. Your best bet is to tell systemd to stop