Re: Auditd misses accept syscalls from sshd
Hello,
Addressing a couple obvious things here...
On Friday, December 2, 2016 9:55:17 PM EST Nathan Cooprider wrote:
On Fri, Dec 2, 2016 at 4:09 PM Steve Grubb <sgrubb(a)redhat.com>
wrote:
> On Friday, December 2, 2016 8:43:46 PM EST Nathan Cooprider wrote:
> > Auditd seems to miss accept syscalls from ssh on Ubuntu 14.
>
> Its not auditd, the kernel does all the work. Auditd acts a lot like a
> specialized syslog. :-)
>
> > I tried versions 2.3.2 and 2.4.5 of the daemon
Support was not added until 2.5.
> > with kernel versions 3.13.0-96
Definitely won't support it.
> > and 4.4.0-47.
The feature landed in 4.3, so 4.4 should have it. However, you need audit 2.5
or later to use the kernel feature.
I just tried again and had the same problem:
vagrant@vagrant:~$ uname -a
Linux vagrant 4.4.0-51-generic #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Try pairing that with a newer auditd so that auditctl has the support to load
the rule.
-Steve
That's a newer version than I have on my Ubuntu 16 VM, which
does
demonstrate the problem. It's also strange that restarting ssh then makes
the accept syscall events show up. Other sshd syscalls show up in auditd
before and after the ssh restart.