From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Auditd misses accept syscalls from sshd
Date: Fri, 02 Dec 2016 16:09:44 -0500 [thread overview]
Message-ID: <3811129.XXtPaolnaT@x2> (raw)
In-Reply-To: <CAMMwpch6UvX71gnX2_+fohBxhtS=fyV-=2NhtAvQeY8fi5W8Lg@mail.gmail.com>
On Friday, December 2, 2016 8:43:46 PM EST Nathan Cooprider wrote:
> Auditd seems to miss accept syscalls from ssh on Ubuntu 14.
Its not auditd, the kernel does all the work. Auditd acts a lot like a
specialized syslog. :-)
> I tried versions 2.3.2 and 2.4.5 of the daemon with kernel versions
> 3.13.0-96 and 4.4.0-47. In all cases the accept syscall (43) failed to show
> up until after I restarted the ssh daemon. It's especially weird because I
> don't see this problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am
> seeing this or where to look?
It works fine on my 4.8 kernel:
# uname -r
4.8.10-200.fc24.x86_64
# auditctl -a always,exit -F arch=b64 -S accept,accept4 -F exe=/usr/sbin/sshd -F key=test
# ssh localhost
# exit
# ausearch --start recent -k test -i
----
type=CONFIG_CHANGE msg=audit(12/02/2016 15:53:00.297:917) : auid=sgrubb ses=5
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key=test
list=exit res=yes
----
type=PROCTITLE msg=audit(12/02/2016 15:53:07.287:919) : proctitle=/usr/sbin/sshd
type=SOCKADDR msg=audit(12/02/2016 15:53:07.287:919) : saddr={ fam=inet6 laddr=::1 lport=52740 }
type=SYSCALL msg=audit(12/02/2016 15:53:07.287:919) : arch=x86_64
syscall=accept success=yes exit=5 a0=0x4 a1=0x7ffdd5bd06a0 a2=0x7ffdd5bd068c
a3=0x0 items=0 ppid=1 pid=1071 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
key=test
I don't know if there were any bug fixes that made it start working. I also
think I was doing some testing on kernels close to when the audit by
executable code first went upstream and I remember not getting the results I
wanted. I had other things to do and when I came back to it I could not
replicate the missing events. I had upgraded the kernel in the mean time.
Does using a newer kernel fix it for you?
-Steve
> I found a similar question in the archives, but it seems to do with the
> architecture size and not OS versions:
> https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
>
> I also posted this question on Stack Overflow:
> http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-hav
> e-inconsistent-behavior-in-linux-audit-framework
next prev parent reply other threads:[~2016-12-02 21:09 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-02 20:43 Auditd misses accept syscalls from sshd Nathan Cooprider
2016-12-02 21:09 ` Steve Grubb [this message]
2016-12-02 21:55 ` Nathan Cooprider
2016-12-02 22:13 ` Steve Grubb
2016-12-03 2:11 ` Nathan Cooprider
2016-12-03 17:47 ` Steve Grubb
2016-12-05 16:42 ` Nathan Cooprider
2016-12-05 22:44 ` Steve Grubb
2016-12-02 21:26 ` Paul Moore
2016-12-02 21:42 ` Nathan Cooprider
2016-12-02 21:56 ` Paul Moore
2016-12-02 23:44 ` Hassan Sultan
2016-12-03 2:15 ` Nathan Cooprider
2016-12-03 17:39 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3811129.XXtPaolnaT@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox