From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auditd misses accept syscalls from sshd Date: Fri, 02 Dec 2016 17:13:42 -0500 Message-ID: <3309840.oCxPxWEFuR@x2> References: <3811129.XXtPaolnaT@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Nathan Cooprider Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello, Addressing a couple obvious things here... On Friday, December 2, 2016 9:55:17 PM EST Nathan Cooprider wrote: > On Fri, Dec 2, 2016 at 4:09 PM Steve Grubb wrote: > > On Friday, December 2, 2016 8:43:46 PM EST Nathan Cooprider wrote: > > > Auditd seems to miss accept syscalls from ssh on Ubuntu 14. > > > > Its not auditd, the kernel does all the work. Auditd acts a lot like a > > specialized syslog. :-) > > > > > I tried versions 2.3.2 and 2.4.5 of the daemon Support was not added until 2.5. > > > with kernel versions 3.13.0-96 Definitely won't support it. > > > and 4.4.0-47. The feature landed in 4.3, so 4.4 should have it. However, you need audit 2.5 or later to use the kernel feature. > I just tried again and had the same problem: > > vagrant@vagrant:~$ uname -a > Linux vagrant 4.4.0-51-generic #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30 > UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Try pairing that with a newer auditd so that auditctl has the support to load the rule. -Steve > That's a newer version than I have on my Ubuntu 16 VM, which does > demonstrate the problem. It's also strange that restarting ssh then makes > the accept syscall events show up. Other sshd syscalls show up in auditd > before and after the ssh restart.