From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auditd misses accept syscalls from sshd Date: Mon, 05 Dec 2016 17:44:06 -0500 Message-ID: <2052748.Z1A4H7y1HO@x2> References: <7841465.GifJlmNWiC@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Nathan Cooprider Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, December 5, 2016 4:42:14 PM EST Nathan Cooprider wrote: > On Sat, Dec 3, 2016 at 12:47 PM Steve Grubb wrote: > > > > Support was not added until 2.5. > > > > > > Support for what? > > > > Audit by executable. In the example that I gave I showed the syntax for > > how you would audit accept only for sshd. I presume that you are not > > auditing accept across the whole system. What rule are you using to audit > > accept? > > Here's what I have: > > vagrant@vagrant:~$ uname -a > Linux vagrant 4.4.0-51-generic #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30 > UTC 2016 x86_64 x86_64 x86_64 GNU/Linux > vagrant@vagrant:~$ sudo auditctl -l > No rules > vagrant@vagrant:~$ sudo auditctl -a exit,always -F arch=b64 -S accept > vagrant@vagrant:~$ sudo auditctl -l > LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=accept > > For my case, I am auditing accept syscalls across the whole system. I want > to look for when that syscall occurs in my log and alert on it. OK. I was thinking that perhaps you had the rule qualified with -F auid>=500 -F auid!=-1 to detect user originating events and the restart (because its upstart) would put your auid into sshd's and then you were successful in auditing. If the above rule is in fact what you are auditing with, and you have auidit=1 on your grub kernel boot commandline, then I am out of guesses. Sounds like a problem unique to your kernel since you have found kernels that work fine. -Steve