Hello,
Addressing a couple obvious things here...
On Friday, December 2, 2016 9:55:17 PM EST Nathan Cooprider wrote:
> On Fri, Dec 2, 2016 at 4:09 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Friday, December 2, 2016 8:43:46 PM EST Nathan Cooprider wrote:
> > > Auditd seems to miss accept syscalls from ssh on Ubuntu 14.
> >
> > Its not auditd, the kernel does all the work. Auditd acts a lot like a
> > specialized syslog. :-)
> >
> > > I tried versions 2.3.2 and 2.4.5 of the daemon
Support was not added until 2.5.
Support for what? Auditing the accept syscall? What do you mean by "support?" Those are auditd versions that I'm talking about. Is that what you mean? Sorry if I was not clear. What did it do with accept syscalls before then? I do not see this reflected in the changelog
> > > with kernel versions 3.13.0-96
Definitely won't support it.
Support what?
> > > and 4.4.0-47.
The feature landed in 4.3, so 4.4 should have it. However, you need audit 2.5
or later to use the kernel feature.
What feature are you talking about? This sounds like it could be the issue, but I am not sure to what you are actually referring.
> I just tried again and had the same problem:
>
> vagrant@vagrant:~$ uname -a
> Linux vagrant 4.4.0-51-generic #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30
> UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Try pairing that with a newer auditd so that auditctl has the support to load
the rule.
I'll check this out. My initial attempts to compile more recent versions than 2.4.5 on the newer kernel in Ubuntu 14 had issues, but those are probably personal problems.
-Steve
> That's a newer version than I have on my Ubuntu 16 VM, which does
> demonstrate the problem. It's also strange that restarting ssh then makes
> the accept syscall events show up. Other sshd syscalls show up in auditd
> before and after the ssh restart.