Re: Auditd misses accept syscalls from sshd
On Monday, December 5, 2016 4:42:14 PM EST Nathan Cooprider wrote:
On Sat, Dec 3, 2016 at 12:47 PM Steve Grubb <sgrubb(a)redhat.com>
wrote:
> > > Support was not added until 2.5.
> >
> > Support for what?
>
> Audit by executable. In the example that I gave I showed the syntax for
> how you would audit accept only for sshd. I presume that you are not
> auditing accept across the whole system. What rule are you using to audit
> accept?
Here's what I have:
vagrant@vagrant:~$ uname -a
Linux vagrant 4.4.0-51-generic #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
vagrant@vagrant:~$ sudo auditctl -l
No rules
vagrant@vagrant:~$ sudo auditctl -a exit,always -F arch=b64 -S accept
vagrant@vagrant:~$ sudo auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=accept
For my case, I am auditing accept syscalls across the whole system. I want
to look for when that syscall occurs in my log and alert on it.
OK. I was thinking that perhaps you had the rule qualified with -F auid>=500 -F
auid!=-1 to detect user originating events and the restart (because its
upstart) would put your auid into sshd's and then you were successful in
auditing. If the above rule is in fact what you are auditing with, and you
have auidit=1 on your grub kernel boot commandline, then I am out of guesses.
Sounds like a problem unique to your kernel since you have found kernels that
work fine.
-Steve