PVF: consider fetching audit logs with netlink #2080
Comments
|
@s0me0ne-unkn0wn Does this work even if audit logging is disabled? That might be an advantage, along with not having to locate the audit file location (it is different on some systems) etc. |
|
Well, if audit logging is disabled in the sense that |
|
I'll take this one for myself, as I'm more or less familiar with netlink and kernel audit. However, I've never tried using it as non-root. The first thing that should be checked is whether it's worth implementing at all. If it requires root privilege, it doesn't make sense. The current implementation (the log parsing) fails on every host I tried, as the audit logs are not usually exposed to normal users. |
|
Awesome, thank you! Let me know what you find out.
Yeah, so we only use them for informative purposes right now. Hopefully, there is at least one validator who is ignoring our recommendation not to run as root, who would notice any warnings that we log and inform us. 🙃 |
|
Nope, no miracle happened. You cannot subscribe to audit events as non-root. Probably, that's not that strict, I mean, running as a user who is a member of the Considering that, I'm not sure it makes sense to put any effort into implementing this. |
|
Related: #2324 |
|
In the light of #2461, do we still need this? |
If we're not going to ever enforce running node as root, I'd say no. |
|
So that sounds to me like a "no" and we can close this issue. |
|
Can reopen if we need this in the future. |
github-project-automation
bot
moved this from In Progress
to Completed
in parachains team board
* SourceBridgeHubChain/TargetBridgeHubChain replaced with RelayerAccountChain * Fix * Removed `relayer_account: &AccountId` from `MessageDispatch`
Instead of parsing audit logs, we might be able to connect to audit via netlink and observe audit events directly. see man 3 audit_open and further links.
See #2009 (comment) by @s0me0ne-unkn0wn.
The text was updated successfully, but these errors were encountered: