From: Steve Grubb <sgrubb@redhat.com>
To: Nathan Cooprider <ncooprider@yankeehacker.com>
Cc: linux-audit@redhat.com
Subject: Re: Auditd misses accept syscalls from sshd
Date: Mon, 05 Dec 2016 17:44:06 -0500 [thread overview]
Message-ID: <2052748.Z1A4H7y1HO@x2> (raw)
In-Reply-To: <CAMMwpcgcHEKTbQvHHZpWiMGDoEnmm9bOz26HVq7CJk+eXg3jJg@mail.gmail.com>
On Monday, December 5, 2016 4:42:14 PM EST Nathan Cooprider wrote:
> On Sat, Dec 3, 2016 at 12:47 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > > > Support was not added until 2.5.
> > >
> > > Support for what?
> >
> > Audit by executable. In the example that I gave I showed the syntax for
> > how you would audit accept only for sshd. I presume that you are not
> > auditing accept across the whole system. What rule are you using to audit
> > accept?
>
> Here's what I have:
>
> vagrant@vagrant:~$ uname -a
> Linux vagrant 4.4.0-51-generic #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30
> UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
> vagrant@vagrant:~$ sudo auditctl -l
> No rules
> vagrant@vagrant:~$ sudo auditctl -a exit,always -F arch=b64 -S accept
> vagrant@vagrant:~$ sudo auditctl -l
> LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=accept
>
> For my case, I am auditing accept syscalls across the whole system. I want
> to look for when that syscall occurs in my log and alert on it.
OK. I was thinking that perhaps you had the rule qualified with -F auid>=500 -F
auid!=-1 to detect user originating events and the restart (because its
upstart) would put your auid into sshd's and then you were successful in
auditing. If the above rule is in fact what you are auditing with, and you
have auidit=1 on your grub kernel boot commandline, then I am out of guesses.
Sounds like a problem unique to your kernel since you have found kernels that
work fine.
-Steve
next prev parent reply other threads:[~2016-12-05 22:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-02 20:43 Auditd misses accept syscalls from sshd Nathan Cooprider
2016-12-02 21:09 ` Steve Grubb
2016-12-02 21:55 ` Nathan Cooprider
2016-12-02 22:13 ` Steve Grubb
2016-12-03 2:11 ` Nathan Cooprider
2016-12-03 17:47 ` Steve Grubb
2016-12-05 16:42 ` Nathan Cooprider
2016-12-05 22:44 ` Steve Grubb [this message]
2016-12-02 21:26 ` Paul Moore
2016-12-02 21:42 ` Nathan Cooprider
2016-12-02 21:56 ` Paul Moore
2016-12-02 23:44 ` Hassan Sultan
2016-12-03 2:15 ` Nathan Cooprider
2016-12-03 17:39 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2052748.Z1A4H7y1HO@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=ncooprider@yankeehacker.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).