From: "Hassan Sultan" <hsultan@thefroid.net>
To: Paul Moore <paul@paul-moore.com>,
Nathan Cooprider <ncooprider@yankeehacker.com>
Cc: linux-audit@redhat.com
Subject: Re: Auditd misses accept syscalls from sshd
Date: Fri, 02 Dec 2016 15:44:35 -0800 [thread overview]
Message-ID: <op.yrvawl0c1jp0b1@hassan-t420> (raw)
In-Reply-To: <CAMMwpchN9FM2DCtH_JLb7UNfZ80FywgMdU_kjuXEBiiWF3px=w@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1281 bytes --]
On Fri, 02 Dec 2016 13:42:02 -0800, Nathan Cooprider
<ncooprider@yankeehacker.com> wrote:
>
>
> Thanks for the suggestion. I'm getting other audit events from sshd
> without restarting ssh. It's just the accept syscalls that do not show
> up until after I >restart ssh:
>
> type=SYSCALL msg=audit(1480714641.465:54): arch=c000003e syscall=43
> success=yes exit=5 a0=3 a1=7ffce3b031b0 a2=7ffce3b0319c a3=0 items=0
> >ppid=1 pid=2602 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"
> exe="/usr/sbin/>sshd" key=(null)
>
> I think that indicates the kernel is sending up audit messages. My
> question is why the above message fails to come up until after I've
> restarted ssh.
>
(I was the person having that issue almost 2 years ago)
I never fully investigated it, but came up with one theory explaining it :
- accept is a blocking syscall , it might be that sshd started and the
syscall was initiated before the audit rule was loaded. This would explain
why you see the event when restarting sshd.
Don't use the tcp connection time to evaluate whether the auditing worked
properly, but rather when the initial accept call was made, which
basically amounts to when sshd is started.
Hassan
[-- Attachment #1.2.1: Type: text/html, Size: 1781 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2016-12-02 23:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-02 20:43 Auditd misses accept syscalls from sshd Nathan Cooprider
2016-12-02 21:09 ` Steve Grubb
2016-12-02 21:55 ` Nathan Cooprider
2016-12-02 22:13 ` Steve Grubb
2016-12-03 2:11 ` Nathan Cooprider
2016-12-03 17:47 ` Steve Grubb
2016-12-05 16:42 ` Nathan Cooprider
2016-12-05 22:44 ` Steve Grubb
2016-12-02 21:26 ` Paul Moore
2016-12-02 21:42 ` Nathan Cooprider
2016-12-02 21:56 ` Paul Moore
2016-12-02 23:44 ` Hassan Sultan [this message]
2016-12-03 2:15 ` Nathan Cooprider
2016-12-03 17:39 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=op.yrvawl0c1jp0b1@hassan-t420 \
--to=hsultan@thefroid.net \
--cc=linux-audit@redhat.com \
--cc=ncooprider@yankeehacker.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox