From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Hassan Sultan" <hsultan@thefroid.net>
Subject: Re: Auditd misses accept syscalls from sshd
Date: Fri, 02 Dec 2016 15:44:35 -0800
Message-ID: <op.yrvawl0c1jp0b1@hassan-t420>
References: <CAMMwpch6UvX71gnX2_+fohBxhtS=fyV-=2NhtAvQeY8fi5W8Lg@mail.gmail.com>
	<CAHC9VhS3EhCcaWX5pC9a2LXZA=BHn=dWQzCcpRUOm776JTCkKQ@mail.gmail.com>
	<CAMMwpchN9FM2DCtH_JLb7UNfZ80FywgMdU_kjuXEBiiWF3px=w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1747884116339411592=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com
	[10.5.110.31])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id uB2Niatr020090
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Fri, 2 Dec 2016 18:44:36 -0500
Received: from homiemail-a69.g.dreamhost.com (sub5.mail.dreamhost.com
	[208.113.200.129])
	(using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 9973AC04FF82
	for <linux-audit@redhat.com>; Fri,  2 Dec 2016 23:44:35 +0000 (UTC)
In-Reply-To: <CAMMwpchN9FM2DCtH_JLb7UNfZ80FywgMdU_kjuXEBiiWF3px=w@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Paul Moore <paul@paul-moore.com>, Nathan Cooprider <ncooprider@yankeehacker.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============1747884116339411592==
Content-Type: multipart/alternative; boundary=----------412esfLpOOAFOc8ROIILXq

------------412esfLpOOAFOc8ROIILXq
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit

On Fri, 02 Dec 2016 13:42:02 -0800, Nathan Cooprider  
<ncooprider@yankeehacker.com> wrote:
>
>
> Thanks for the suggestion. I'm getting other audit events from sshd  
> without restarting ssh. It's just the accept syscalls that do not show  
> up until after I >restart ssh:
>
> type=SYSCALL msg=audit(1480714641.465:54): arch=c000003e syscall=43  
> success=yes exit=5 a0=3 a1=7ffce3b031b0 a2=7ffce3b0319c a3=0 items=0  
> >ppid=1 pid=2602 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0  
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"  
> exe="/usr/sbin/>sshd" key=(null)
>
> I think that indicates the kernel is sending up audit messages. My  
> question is why the above message fails to come up until after I've  
> restarted ssh.
>

(I was the person having that issue almost 2 years ago)

I never fully investigated it, but came up with one theory explaining it :

- accept is a blocking syscall , it might be that sshd started and the  
syscall was initiated before the audit rule was loaded. This would explain  
why you see the event when restarting sshd.

Don't use the tcp connection time to evaluate whether the auditing worked  
properly, but rather when the initial accept call was made, which  
basically amounts to when sshd is started.


Hassan
------------412esfLpOOAFOc8ROIILXq
Content-Type: multipart/related; boundary=----------412esfLpOOAFOcwQoApQSQ

------------412esfLpOOAFOcwQoApQSQ
Content-Type: text/html; charset=iso-8859-15
Content-ID: <op.1480722275234.aedc4d675d6a865e@192.168.0.105>
Content-Transfer-Encoding: Quoted-Printable

<!DOCTYPE html><html><head>
<style type=3D"text/css">body { font-family:'Times New Roman'; font-size=
:13px}</style>
</head>
<body>On Fri, 02 Dec 2016 13:42:02 -0800, Nathan Cooprider &lt;ncoopride=
r@yankeehacker.com&gt; wrote:<br><blockquote style=3D"margin: 0 0 0.80ex=
; border-left: #0000FF 2px solid; padding-left: 1ex"><div dir=3D"ltr"><d=
iv class=3D"gmail_quote"><div dir=3D"ltr"><br></div><div><br></div><div>=
Thanks for the suggestion. I'm getting other audit events from sshd with=
out restarting ssh. It's just the accept syscalls that do not show up un=
til after I restart ssh:<br></div><div><br></div><div>type=3DSYSCALL msg=
=3Daudit(1480714641.465:54): arch=3Dc000003e syscall=3D43 success=3Dyes =
exit=3D5 a0=3D3 a1=3D7ffce3b031b0 a2=3D7ffce3b0319c a3=3D0 items=3D0 ppi=
d=3D1 pid=3D2602 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsu=
id=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D4294967295 comm=3D=
"sshd" exe=3D"/usr/sbin/sshd" key=3D(null)<br></div><div><br></div><div>=
I think that indicates the kernel is sending up audit messages. My quest=
ion is why the above message fails to come up until after I've restarted=
 ssh.</div><div><br></div></div></div>
</blockquote><br><div>(I was the person having that issue almost 2 years=
 ago)<br></div><div><br></div><div>I never fully investigated it, but ca=
me up with one theory explaining it :</div><div><br></div><div>- accept =
is a blocking syscall , it might be that sshd started and the syscall wa=
s initiated before the audit rule was loaded. This would explain why you=
 see the event when restarting sshd.</div><div><br></div><div>Don't use =
the tcp connection time to evaluate whether the auditing worked properly=
, but rather when the initial accept call was made, which basically amou=
nts to when sshd is started.</div><div><br></div><div><br></div><div>Has=
san</div></body></html>
------------412esfLpOOAFOcwQoApQSQ--

------------412esfLpOOAFOc8ROIILXq--


--===============1747884116339411592==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1747884116339411592==--