On Sat, 2007-07-28 at 00:06 +0200, Peter Zijlstra wrote:
On Fri, 2007-07-27 at 23:55 +0200, Peter Zijlstra wrote:
> On Fri, 2007-07-27 at 16:57 -0400, Steve Grubb wrote:
>
> > I don't know of anything special its a fully updated rawhide machine. I am
not
> > running any tests, this is at the prompt in runlevel 3. I have audit=1 as a
> > boot parameter in grub.conf and very simple audit rules for that machine:
> >
> > -D
> > -b 256
> > -a exit,always -S sethostname
> > -w /etc/selinux/config
> >
> > which is not exotic.
[root@opteron ~]# auditctl -D
No rules
[root@opteron ~]# auditctl -b 256
AUDIT_STATUS: enabled=0 flag=1 pid=0 rate_limit=0 backlog_limit=256 lost=0 backlog=0
[root@opteron ~]# auditctl -a exit,always -S sethostname
[root@opteron ~]# auditctl -w /etc/selinux/config
[root@opteron ~]# man auditd
[root@opteron ~]# auditd -f
Config file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit/audit.log
log_format_parser called with: RAW
priority_boost_parser called with: 3
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 4
dispatch_parser called with: /sbin/audispd
qos_parser called with: lossy
max_log_size_parser called with: 5
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
Started dispatcher: /sbin/audispd pid: 3375
type=DAEMON_START msg=audit(1185574384.343:9448) auditd start, ver=1.5.3, format=raw,
auid=4294967295 pid=3373 res=success, auditd pid=3373
config_manager init complete
Init complete, auditd 1.5.3 listening for events
type=CONFIG_CHANGE msg=audit(1185574384.450:6): audit_enabled=1 old=0 by auid=4294967295
res=1
type=SYSCALL msg=audit(1185574406.346:7): arch=c000003e syscall=2 success=yes exit=3
a0=2ba34c4f61f6 a1=0 a2=1b6 a3=0 items=1 ppid=2903 pid=3376 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd"
exe="/usr/sbin/sshd" key=(null)
type=CWD msg=audit(1185574406.346:7): cwd="/"
type=PATH msg=audit(1185574406.346:7): item=0 name="/etc/selinux/config"
inode=19989869 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=USER_ACCT msg=audit(1185574406.528:8): user pid=3376 uid=0 auid=4294967295
msg='PAM: accounting acct=root : exe="/usr/sbin/sshd"
(hostname=192.168.0.32, addr=192.168.0.32, terminal=ssh res=success)'
...
-----------
when I pressed ctrl-c to try -a exit,always -S execve I found this on my serial console:
-----------
Kernel 2.6.23-rc1 on an x86_64
opteron.programming.kicks-ass.net login:
[ 75.452053] audit(1185574293.834:2): audit_backlog_limit=256 old=64 by auid=4294967295
res=1
[ 120.237812] audit(1185574338.691:3): auid=4294967295 op=add rule key=(null) list=4
res=1
[ 149.512552] audit(1185574368.012:4): auid=4294967295 op=add rule key=(null) list=4
res=1
[ 165.816721] audit(1185574384.343:5): audit_pid=3373 old=0 by auid=4294967295
[ 465.113754] Unable to handle kernel NULL pointer dereference at 0000000000000484 RIP:
[ 465.119212] [<ffffffff802785fc>] __audit_signal_info+0x3c/0x150
[ 465.127628] PGD 79f32067 PUD 0
[ 465.130772] Oops: 0000 [1] PREEMPT SMP
[ 465.134614] CPU 1
[ 465.136622] Modules linked in: nfsd exportfs autofs4 binfmt_misc ext2 sbs fan d
ock container battery ac nvram loop evbug evdev thermal psmouse i2c_piix4 processo
r button i2c_core sr_mod cdrom sg shpchp pci_hotplug sd_mod ext3 jbd mbcache ehci_
hcd ohci_hcd uhci_hcd usbcore
[ 465.160924] Pid: 3151, comm: sshd Not tainted 2.6.23-rc1 #8
[ 465.166465] RIP: 0010:[<ffffffff802785fc>] [<ffffffff802785fc>]
__audit_signal_info+0x3c/0x150
[ 465.175128] RSP: 0018:ffff8100731e5be8 EFLAGS: 00010202
[ 465.180408] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8100718b0000
[ 465.187503] RDX: 0000000000000001 RSI: ffff810068614000 RDI: 0000000000000002
[ 465.194600] RBP: ffff8100731e5bf8 R08: 0000000000000001 R09: 0000000000000000
[ 465.201697] R10: 0000000000000001 R11: 0000000000000001 R12: ffff810068614000
[ 465.208792] R13: ffff810068614000 R14: 0000000000000001 R15: ffff810074e77000
[ 465.215888] FS: 00002b8c2dc90870(0000) GS:ffff810001102380(0000)
knlGS:0000000000000000
[ 465.223935] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 465.229649] CR2: 0000000000000484 CR3: 0000000037cfc000 CR4: 00000000000006e0
[ 465.236745] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 465.243841] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 465.250936] Process sshd (pid: 3151, threadinfo ffff8100731e4000, task
ffff8100718b0000)
[ 465.258983] Stack: 0000000000000001 0000000000000002 ffff8100731e5c28
ffffffff80247788
[ 465.266993] 0000000000200200 ffff810068614218 0000000000000002 ffff810068614000
[ 465.274388] ffff8100731e5c68 ffffffff80248bb6 ffff8100731e5c78 0000000000000246
[ 465.281599] Call Trace:
[ 465.284215] [<ffffffff80247788>] check_kill_permission+0x88/0x160
[ 465.290362] [<ffffffff80248bb6>] group_send_sig_info+0x26/0x90
[ 465.296249] [<ffffffff80248eca>] __kill_pgrp_info+0x3a/0x70
[ 465.301877] [<ffffffff80248f37>] kill_pgrp_info+0x37/0x60
[ 465.307332] [<ffffffff80248f78>] kill_pgrp+0x18/0x20
[ 465.312355] [<ffffffff803a31ce>] n_tty_receive_buf+0x76e/0x1010
[ 465.318331] [<ffffffff80423ffc>] sock_aio_read+0x14c/0x160
[ 465.323874] [<ffffffff8025a0d6>] get_lock_stats+0x16/0x60
[ 465.329328] [<ffffffff8025a12e>] put_lock_stats+0xe/0x40
[ 465.334696] [<ffffffff8025a1c3>] lock_release_holdtime+0x63/0x80
[ 465.340756] [<ffffffff802535a9>] add_wait_queue+0x49/0x60
[ 465.346213] [<ffffffff803a537c>] pty_write+0x4c/0x60
[ 465.351238] [<ffffffff803a2935>] write_chan+0x255/0x380
[ 465.356521] [<ffffffff80233f80>] default_wake_function+0x0/0x10
[ 465.362496] [<ffffffff8039fca9>] tty_write+0x199/0x250
[ 465.367690] [<ffffffff803a26e0>] write_chan+0x0/0x380
[ 465.372800] [<ffffffff802ae0a4>] vfs_write+0xe4/0x190
[ 465.377910] [<ffffffff802ae770>] sys_write+0x50/0x90
[ 465.382933] [<ffffffff8020c1be>] system_call+0x7e/0x83
[ 465.388131]
[ 465.389610]
[ 465.389610] Code: 8b 83 84 04 00 00 85 c0 74 53 48 8b 83 48 04 00 00 48 85 c0