Re: Auditd misses accept syscalls from sshd
On Saturday, December 3, 2016 2:11:04 AM EST Nathan Cooprider wrote:
Hi! It sounds like I'm missing something obvious!
On Fri, Dec 2, 2016 at 5:13 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
> Hello,
>
> Addressing a couple obvious things here...
>
> On Friday, December 2, 2016 9:55:17 PM EST Nathan Cooprider wrote:
> > On Fri, Dec 2, 2016 at 4:09 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
> > > On Friday, December 2, 2016 8:43:46 PM EST Nathan Cooprider wrote:
> > > > Auditd seems to miss accept syscalls from ssh on Ubuntu 14.
> > >
> > > Its not auditd, the kernel does all the work. Auditd acts a lot like a
> > > specialized syslog. :-)
> > >
> > > > I tried versions 2.3.2 and 2.4.5 of the daemon
>
> Support was not added until 2.5.
Support for what?
Audit by executable. In the example that I gave I showed the syntax for how
you would audit accept only for sshd. I presume that you are not auditing
accept across the whole system. What rule are you using to audit accept?
Auditing the accept syscall? What do you mean by "support?"
Those are auditd
versions that I'm talking about. Is that what you mean? Sorry if I was not
clear. What did it do with accept syscalls before then? I do not see this
reflected in the changelog
Let's take a look at how you are auditing it and maybe that will explain a few
things. Also, does Ubuntu 14 use upstart or systemd? And perhaps for good
measure include just 1 event when it does work.
-Steve
https://people.redhat.com/sgrubb/audit/ChangeLog
> > > with kernel versions 3.13.0-96
>
> Definitely won't support it.
Support what?
> > > > and 4.4.0-47.
>
> The feature landed in 4.3, so 4.4 should have it. However, you need audit
> 2.5
> or later to use the kernel feature.
What feature are you talking about? This sounds like it could be the issue,
but I am not sure to what you are actually referring.
> > I just tried again and had the same problem:
> > vagrant@vagrant:~$ uname -a
> > Linux vagrant 4.4.0-51-generic #72~14.04.1-Ubuntu SMP Thu Nov 24
> > 19:22:30
> > UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> Try pairing that with a newer auditd so that auditctl has the support to
> load
> the rule.
I'll check this out. My initial attempts to compile more recent versions
than 2.4.5 on the newer kernel in Ubuntu 14 had issues, but those are
probably personal problems.
> -Steve
>
> > That's a newer version than I have on my Ubuntu 16 VM, which does
> > demonstrate the problem. It's also strange that restarting ssh then
> > makes
> > the accept syscall events show up. Other sshd syscalls show up in auditd
> > before and after the ssh restart.