Hi,
My linux is CentOS7.
When I run
Elastic Beats-Auditbeat with
non-root user, it shows this error:
Quote:
ERROR instance/beat.go:877 Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted
Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted
|
Then check the capability which the process lacked with this command:
strace ./auditbeat -c 1 localhost 2>&1 | grep EPERM and it shows:
Quote:
epoll_ctl(4, EPOLL_CTL_ADD, 3, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=66785192, u64=140471267168168}}) = -1 EPERM (Operation not permitted)
epoll_ctl(4, EPOLL_CTL_DEL, 3, {0, {u32=0, u64=0}}) = -1 EPERM (Operation not permitted)
|
I found the lacked capability is
CAP_BLOCK_SUSPEND by this
http://man7.org/linux/man-pages/man7...ilities.7.html
But when I run command
setcap cap_block_suspend=ep auditbeat with
root it shows:
Quote:
fatal error: Invalid argument
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]
Note <filename> must be a regular (non-symlink) file.
|
Whereas I have checked that auditbeat is just a
regular file:
Quote:
[usr@linuxhost auditbeat-7.2.0-linux-x86_64]$ stat auditbeat
File: ‘auditbeat’
Size: 70418699 Blocks: 137544 IO Block: 4096 regular file
Device: pasef/17006b Inode: 410084318 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 1004/ usr ) Gid: ( 1004/ usr )
Access: 2019-08- 0:39:29.160306947 +000
Modify: 2019-06-20 23:04:01.000000000 +000
Change: 2019-08- 0:39:06.226434256 +000
Birth: -
|
How could I solve it?
Thank you.
Daniel.