Early processes (daemons) do not report audit events
Kangkook Jee
aixer77 at gmail.com
Thu Sep 10 20:53:57 UTC 2015
Hi all,
I debugged a bit further to identify distributions that are affected by the issue.
I repeated the same experiment with sshd from 3 more distributions.
CentOS Linux release 7.1.1503 (64-bit, 3.10.0-229.el7.x86_64): Problem NOT reproduced
CentOS release 6.6 (64-bit, 2.6.32-504.el6.x86_64): Problem NOT reproduced
Ubuntu 12.04.5 LTS (64-bit, 3.13.0-32-generic): Problem reproduced
After all, Ubuntu family are affected by the issue and I could confirm that results are inconsistent
across two different distribution families.
If you can let us know how can we workaround the issue, it will be a great help.
Regards, Kangkook
> On Sep 9, 2015, at 11:50 PM, Kangkook Jee <aixer77 at gmail.com> wrote:
>
> Dear all,
>
> We are developing custom user space audit agent to gather system wide system
> call trace. While experimenting with various programs, we found out that
> processes (daemons) that started early (along with the system bootstrapping) do
> not report any audit events at all. These processes typically fall into PID
> range of less than 2000. Here’s how I reproduced the symptom with sshd daemon.
>
> 1. Reboot the system
>
> 2. Add and enable audit events
> # /sbin/auditctl -a exit,always -F arch=b64 -S clone -S close -S creat -S dup
> -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S open -S openat
> -S unlink -S unlinkat -S vfork -S 288 -S accept -S bind -S connect
> -S listen -S socket -S socketpair
> # /sbin/auditctl -e1 -b 102400
>
> 3. Connect to the system via ssh
> Audit messages generated only from child processes and none are seen from
> the original daemon.
>
> 4. Restart sshd
> # restart ssh
>
> 5. Connect again to the system via ssh
> Now, we see audit messages from both parent and child processes.
>
> I did the experiment from Ubuntu 14.04.2 LTS distribution (64-bit, kernel
> version 3.13.0-58-generic).
>
> I first wonder whether this is intended behavior of audit framework or
> not. If it is intended, I also want to know how can we configure auditd
> differently to capture system calls from all processes.
>
> Thanks a lot for your help in advance!
>
> Regards, Kangkook
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150910/a3384132/attachment.htm>
More information about the Linux-audit
mailing list