Auditd Compatibility Mode

InsightIDR
1

Is anyone else here experiencing issues with their new system deployments being flagged with the following error:

agent.jobs.linux.ui_realtime, Auditd is enabled - the use of auditd Compatibility Mode is required in order to allow the agent and auditd to run side-by-side.

Gauging responses to see how common this is. I’ve developed a script to fix it, but wanted to see if others have the same issue.

1 Like
2

I’m having this issue, have written an ansible playbook to try and resolve, but not having much luck so far… Would be very interested in seeing your script if you’re happy to share?

1 Like
3

I have several different scripts to account for different OSes (Ubuntu and RHEL) and whether they are using Auditd v2 or v3.

If you provide me with one of the test systems you are working on, I can provide the proper script and steps. Run “auditctl -v” to grab the audit version and cat /etc/os-release to see whether it is (Ubuntu, CentOS, RHEL, etc.).

For obvious reasons, if you don’t feel comfortable providing the OS, just let me know what version of Auditd it is using and I can provide a few options.

1 Like
4

Thank you! I’m having issues on Ubuntu 22.04, RHEL 8 and RHEL 9

Appreciate the help

5

This is exactly what I am looking for, I was trying to create my own script but having various degrees of success. Running RHEL Version 7. Any chance you could share with me? Thank you!

6

Hey, I´m also having some issues, would appreciate the help

7

Hey everyone, my apologies for the lack of response. I’ve stepped away for some time from the portal and now starting to check back in. Considering it has been well over a year from my last response, has there been any success on your end or would you still like to see the sequence of commands I’ve used to get this working?

8

Do you have the scripts available maybe on a GitHub? Looking for RHEL 8 and 9 specifically, but all of them would be super helpful

10

Here is what I use for RHEL 8, RHEL 7 should be on Auditd v2 which is slightly different than the below steps (I can share that one if needed). As for RHEL9, I haven’t tested it on that OS yet, but presuming RHEL 9 is using Auditd v3, the below should work. Subject to testing though.

The script is using Python and the commands before and after the script are typical BASH style commands to restart services, validate configurations, etc.

RHEL 8 (Auditd v3)

  • Validate auditd version, whether audispd is installed, and if anything custom is in af_unix.conf

    auditctl -v && echo && yum list installed | grep -i audispd && cat /etc/audit/plugins.d/af_unix.conf

  • Stop auditd and ir_agent services

    service auditd stop && service ir_agent stop

  • Install necessary packages

    yum install audispd-plugins -y

  • vim /home/<userpath>/RHEL8-Auditdv3-Fix.py (GitHub Location)

  • Change permissions on script and run

    chmod 700 RHEL8-Auditdv3-Fix.py && python3 RHEL8-Auditdv3-Fix.py

  • View service status for auditd and Rapid7 agent

    service auditd status && echo && service ir_agent status

1 Like
12

Please disregard all those edits and deleted posts. The forum page kept trying to convert the code in an odd manner + I made a GitHub location for storage and future script expansion. Thanks for the suggestion. Hopefully this helps.