Troubleshooting Custom audispd Plugin

Steve Grubb sgrubb at redhat.com
Fri Sep 7 13:42:24 UTC 2018


Hello,

On Friday, September 7, 2018 9:19:34 AM EDT Osama Elnaggar wrote:
> I tried it but the problem still only shows up when it runs as a plugin.
> Also, the script basically does some processing on the records and extracts
> certain data from records of interest, so it should run fine regardless of
> the input source.  It seems to fail immediately when run as a plugin.  Any
> other suggestions on troubleshooting the discepancy?

I don't know if there are any permission restrictions by AppArmor or SE Linux 
if you have those running. I don't know if you are logging errors when they 
occur. But my guess would be something is throwing an uncaught exception. 
Which might be caused by MAC permissions. Just a guess.

-Steve

> PS.  I also read your very useful auditd tutorials over here -
> https://security-plus-data-science.blogspot.com/ Thanks.
> 
> > Hi,
> > 
> > I'm working on a custom audispd plugin written in Python 3. It’s a work
> 
> in
> 
> > progress and I’ve successfully run it numerous times as an audispd
> 
> plugin.
> 
> > However, I sometimes make modifications that result in the audispd plugin
> > failing and I end up with the following in /var/log/syslog
> > 
> > Sep 6 20:52:05 ubuntu-hypervisor audispd: plugin /usr/bin/python3
> > terminated unexpectedly
> > Sep 6 20:52:05 ubuntu-hypervisor audispd: plugin /usr/bin/python3 was
> > restarted
> > ...
> > 
> > This is repeated several times until audispd gives up and I see the
> > following message:
> > 
> > Sep 6 20:52:14 ubuntu-hypervisor audispd: plugin /usr/bin/python3 has
> > exceeded max_restarts
> > 
> > To troubleshoot, I modify my code to read from /var/log/audit/audit.log
> > instead. I modify a single line (with fileinput.input() to read from
> > myfile as shown in the commented line below).
> > 
> > Here is the code snippet (a colorized easier to read version is available
> > here - https://pastebin.com/84Nxu3Rp):
> > 
> > # let us initialize the AuParser
> > aup = auparse.AuParser(auparse.AUSOURCE_FEED)
> > 
> > # we initalize the callback to be fn_process_event
> > aup.add_callback(fn_process_event, None, None)
> > 
> > myfile = "/var/log/audit/audit.log"
> > 
> > while True:
> > try:
> > # we read in line by line from stdin
> > for line in fileinput.input():
> > #for line in fileinput.input(myfile):
> > aup.feed(line)
> > except:
> > logger.error("Fatal error in while loop", exc_info=True)
> > 
> > # we flush the feed when we quit
> > aup.flush_feed()
> > 
> > Any suggestions on how to troubleshoot these types of issues when reading
> > from a file works fine without issue but running it as a plugin fails as
> > shown in /var/log/syslog? Thanks.
> 
> All plugins have a requirement to take events from stdin. As long as it
> expects strings (which is the way that auparse wants them), then all you
> have
> to do is:
> 
> ausearch --start boot --raw | ./plugin
> 
> You can also save raw logs with ausearch and cat them into the plugin. This
> is helpful when you get a problem down to a certain series of events and
> you
> don't want to go through a thousand events before the problem sequence.
> 
> -Steve








More information about the Linux-audit mailing list