On Friday, December 2, 2016 8:43:46 PM EST Nathan Cooprider wrote:
Auditd seems to miss accept syscalls from ssh on Ubuntu 14.
Its not auditd, the kernel does all the work. Auditd acts a lot like a
specialized syslog. :-)
I tried versions 2.3.2 and 2.4.5 of the daemon with kernel versions
3.13.0-96 and 4.4.0-47. In all cases the accept syscall (43) failed to show
up until after I restarted the ssh daemon. It's especially weird because I
don't see this problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am
seeing this or where to look?
It works fine on my 4.8 kernel:
# uname -r
4.8.10-200.fc24.x86_64
# auditctl -a always,exit -F arch=b64 -S accept,accept4 -F exe=/usr/sbin/sshd -F key=test
# ssh localhost
# exit
# ausearch --start recent -k test -i
----
type=CONFIG_CHANGE msg=audit(12/02/2016 15:53:00.297:917) : auid=sgrubb ses=5
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule"
key=test
list=exit res=yes
----
type=PROCTITLE msg=audit(12/02/2016 15:53:07.287:919) : proctitle=/usr/sbin/sshd
type=SOCKADDR msg=audit(12/02/2016 15:53:07.287:919) : saddr={ fam=inet6 laddr=::1
lport=52740 }
type=SYSCALL msg=audit(12/02/2016 15:53:07.287:919) : arch=x86_64
syscall=accept success=yes exit=5 a0=0x4 a1=0x7ffdd5bd06a0 a2=0x7ffdd5bd068c
a3=0x0 items=0 ppid=1 pid=1071 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
key=test
I don't know if there were any bug fixes that made it start working. I also
think I was doing some testing on kernels close to when the audit by
executable code first went upstream and I remember not getting the results I
wanted. I had other things to do and when I came back to it I could not
replicate the missing events. I had upgraded the kernel in the mean time.
Does using a newer kernel fix it for you?
-Steve
I found a similar question in the archives, but it seems to do with
the
architecture size and not OS versions:
https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
I also posted this question on Stack Overflow:
http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-hav
e-inconsistent-behavior-in-linux-audit-framework