From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kangkook Jee Subject: Re: Early processes (daemons) do not report audit events Date: Fri, 11 Sep 2015 07:03:28 -0400 Message-ID: <5D799563-5FF9-4EEB-9FA9-27313DBA6D72@gmail.com> References: <1E6087D5-E362-4795-BD8D-1374831498E4@gmail.com> <087AE25B-79B6-4E7A-BE4B-901BE95FB81B@gmail.com> <20150911095027.GO8140@madcap2.tricolour.ca> Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Content-Type: multipart/mixed; boundary="===============5571609401113848052==" Return-path: In-Reply-To: <20150911095027.GO8140@madcap2.tricolour.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============5571609401113848052== Content-Type: multipart/alternative; boundary="Apple-Mail=_D518F594-F5A4-4EAC-A682-A02D247C9E5C" --Apple-Mail=_D518F594-F5A4-4EAC-A682-A02D247C9E5C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Dear Richard, Thanks a lot for your reply. Please refer to my inlined replies.=20 Btw, we can stably re-produce the issue with most of Ubuntu distribution families. I think we can ship you a VM image (via Amazon S3 or = something) so as to save your time debugging it. Thanks a lot for your help again! Regards, Kangkook > On Sep 11, 2015, at 5:50 AM, Richard Guy Briggs = wrote: >=20 > On 15/09/10, Kangkook Jee wrote: >> Hi all, >>=20 >> I debugged a bit further to identify distributions that are affected = by the issue. >> I repeated the same experiment with sshd from 3 more distributions. >>=20 >> CentOS Linux release 7.1.1503 (64-bit, 3.10.0-229.el7.x86_64): = Problem NOT reproduced >> CentOS release 6.6 (64-bit, 2.6.32-504.el6.x86_64): Problem NOT = reproduced >> Ubuntu 12.04.5 LTS (64-bit, 3.13.0-32-generic): Problem reproduced >=20 > For each of these examples, what is the value of the kernel command = line > "audit=3D" if it is even present? It is possible that the = CentOS > examples include "audit=3D1" while Ubuntu omits the line. "cat > /proc/cmdline" should tell you the answer. >=20 For all testcases, I used the same auditctl options to set up rules and = I didn=E2=80=99t set any audit=3D entries. And options as same as I presented from the previous email.=20 >>> # /sbin/auditctl -a exit,always -F arch=3Db64 -S clone -S close -S = creat -S dup >>> -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S = open -S openat=20 >>> -S unlink -S unlinkat -S vfork -S 288 -S accept -S bind -S = connect=20 >>> -S listen -S socket -S socketpair And I personally don=E2=80=99t think audit=3D would become an = issue here, since audit framework began to capture events from sshd daemon as soon as we = restarted it without making any changes. sshd was running with the same uid (or = auid) and the same permissions.=20 >> After all, Ubuntu family are affected by the issue and I could = confirm >> that results are inconsistent across two different distribution >> families.=20 >=20 > I would be curious what your results are with a recent Debian and with = a > recent Fedora. >=20 I will redo the same experiment with those distribution and let you know = how it goes.=20 >> If you can let us know how can we workaround the issue, it will be a = great help. >>=20 >> Regards, Kangkook >>=20 >>=20 >>> On Sep 9, 2015, at 11:50 PM, Kangkook Jee wrote: >>>=20 >>> Dear all, >>>=20 >>> We are developing custom user space audit agent to gather system = wide system >>> call trace. While experimenting with various programs, we found out = that >>> processes (daemons) that started early (along with the system = bootstrapping) do >>> not report any audit events at all. These processes typically fall = into PID >>> range of less than 2000. Here=E2=80=99s how I reproduced the symptom = with sshd daemon. >>>=20 >>> 1. Reboot the system >>>=20 >>> 2. Add and enable audit events >>> # /sbin/auditctl -a exit,always -F arch=3Db64 -S clone -S close -S = creat -S dup >>> -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S = open -S openat=20 >>> -S unlink -S unlinkat -S vfork -S 288 -S accept -S bind -S = connect=20 >>> -S listen -S socket -S socketpair >>> # /sbin/auditctl -e1 -b 102400 >>>=20 >>> 3. Connect to the system via ssh >>> Audit messages generated only from child processes and none are = seen from >>> the original daemon. >>>=20 >>> 4. Restart sshd=20 >>> # restart ssh >>>=20 >>> 5. Connect again to the system via ssh >>> Now, we see audit messages from both parent and child processes. >>>=20 >>> I did the experiment from Ubuntu 14.04.2 LTS distribution (64-bit, = kernel >>> version 3.13.0-58-generic). >>>=20 >>> I first wonder whether this is intended behavior of audit framework = or >>> not. If it is intended, I also want to know how can we configure = auditd >>> differently to capture system calls from all processes.=20 >>>=20 >>> Thanks a lot for your help in advance! >>>=20 >>> Regards, Kangkook >>>=20 >>=20 >=20 >> -- >> Linux-audit mailing list >> Linux-audit@redhat.com >> https://www.redhat.com/mailman/listinfo/linux-audit = >=20 >=20 > - RGB >=20 > -- > Richard Guy Briggs > > Senior Software Engineer, Kernel Security, AMER ENG Base Operating = Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: = +1.613.693.0684x3545 --Apple-Mail=_D518F594-F5A4-4EAC-A682-A02D247C9E5C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Dear Richard,

Thanks a lot for your reply. Please refer to my inlined = replies. 

Btw, we can stably re-produce the issue with = most of Ubuntu distribution
families. I think we = can ship you a VM image (via Amazon S3 or something) so as
to save your time debugging it.

Thanks a lot for your help = again!

Regards, = Kangkook

On Sep 11, 2015, at 5:50 AM, = Richard Guy Briggs <rgb@redhat.com> wrote:

On 15/09/10, Kangkook Jee wrote:
Hi all,
I debugged a bit further to identify distributions that are = affected by the issue.
I repeated the same experiment with = sshd from 3 more distributions.

CentOS = Linux release 7.1.1503 (64-bit, 3.10.0-229.el7.x86_64): Problem NOT = reproduced
CentOS release 6.6 (64-bit, = 2.6.32-504.el6.x86_64): Problem NOT reproduced
Ubuntu = 12.04.5 LTS (64-bit, 3.13.0-32-generic): Problem reproduced

For each of these = examples, what is the value of the kernel command line
"audit=3D<value>" if it is even present? =  It is possible that the CentOS
examples include "audit=3D1" while Ubuntu omits = the line.  "cat
/proc/cmdline" should tell = you the answer.


For all = testcases, I used the same auditctl options to set up rules and I = didn=E2=80=99t set any audit=3D<value> entries.
And = options as same as I presented from the previous = email. 

  # /sbin/auditctl -a exit,always -F arch=3Db64 -S = clone -S close -S creat -S dup
         -S dup2 = -S dup3 -S execve -S exit -S exit_group -S fork -S open -S = openat 
         -S = unlink -S unlinkat -S vfork -S 288 -S accept -S bind -S connect 
         -S = listen -S socket -S socketpair

And I personally don=E2=80=99t think = audit=3D<value> would become an issue here, since
audit = framework began to capture events from sshd daemon as soon as we = restarted
it without making any changes. sshd was running with = the same uid (or auid) and
the same = permissions. 

After all, Ubuntu = family are affected by the issue and I could confirm
that = results are inconsistent across two different distribution
families. 

I would be curious what = your results are with a recent Debian and with a
recent Fedora.


I will redo the same experiment with those = distribution and let you know how it goes. 


If you can let us know how can we workaround the issue, = it will be a great help.

Regards, = Kangkook


On Sep 9, 2015, at 11:50 PM, Kangkook Jee = <aixer77@gmail.com> wrote:

Dear all,

We are developing = custom user space audit agent to gather system wide system
call trace. While experimenting with various programs, we = found out that
processes (daemons) that started early = (along with the system bootstrapping) do
not report any = audit events at all. These processes typically fall into PID
range of less than 2000. Here=E2=80=99s how I reproduced the = symptom with sshd daemon.

1. Reboot the = system

2. Add and enable audit events
  # /sbin/auditctl -a exit,always -F arch=3Db64 -S = clone -S close -S creat -S dup
         -S dup2 = -S dup3 -S execve -S exit -S exit_group -S fork -S open -S openat 
         -S = unlink -S unlinkat -S vfork -S 288 -S accept -S bind -S connect 
         -S = listen -S socket -S socketpair
  # = /sbin/auditctl -e1 -b 102400

3. Connect to = the system via ssh
   Audit messages = generated only from child processes and none are seen from
   the original daemon.

4. Restart sshd 
   # restart ssh

5.= Connect again to the system via ssh
  Now, we = see audit messages from both parent and child processes.
I did the experiment from Ubuntu 14.04.2 LTS distribution = (64-bit, kernel
version 3.13.0-58-generic).

I first wonder whether this is intended = behavior of audit framework or
not. If it is intended, I = also want to know how can we configure auditd
differently = to capture system calls from all processes. 

Thanks a lot for your help in advance!

Regards, Kangkook


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


- RGB

--
Richard Guy Briggs = <rbriggs@redhat.com>
Senior Software Engineer, = Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, = Alt: +1.613.693.0684x3545

= --Apple-Mail=_D518F594-F5A4-4EAC-A682-A02D247C9E5C-- --===============5571609401113848052== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============5571609401113848052==--