Early processes (daemons) do not report audit events

Kangkook Jee aixer77 at gmail.com
Fri Sep 11 11:45:41 UTC 2015 

From the previous reply, I think I misunderstood your question regarding kernel command line. 
Here’s "cat /proc/cmdline” results for distributions that I’ve experimented. 

Ubuntu 14.04 (64-bit): 
    BOOT_IMAGE=/boot/vmlinuz-3.13.0-58-generic root=UUID=7505f862-ce46-49e5-9d1c-e4e307844889 ro text quiet splash vt.handoff=7

Ubuntu 12.04 (64-bit): 
    BOOT_IMAGE=/boot/vmlinuz-3.13.0-32-generic root=UUID=5be789be-9b0c-463e-bd18-42bfa79fb24c ro quiet splash

CentOS 7 (64-bit): 
    BOOT_IMAGE=/vmlinuz-3.10.0-229.el7.x86_64 root=/dev/mapper/centos-root ro rd.lvm.lv=centos/root rd.lvm.lv=centos/swap crashkernel=auto rhgb quiet LANG=en_US.UTF-8

CentOS 6 (64-bit): 
    ro root=UUID=a7d44560-adcc-4000-9584-8b9fcf2afd74 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=129M at 0M  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet

I don’t see any audit=<value> entries from all examples above. 

/Kangkook

> On Sep 11, 2015, at 5:50 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> 
> On 15/09/10, Kangkook Jee wrote:
>> Hi all,
>> 
>> I debugged a bit further to identify distributions that are affected by the issue.
>> I repeated the same experiment with sshd from 3 more distributions.
>> 
>> CentOS Linux release 7.1.1503 (64-bit, 3.10.0-229.el7.x86_64): Problem NOT reproduced
>> CentOS release 6.6 (64-bit, 2.6.32-504.el6.x86_64): Problem NOT reproduced
>> Ubuntu 12.04.5 LTS (64-bit, 3.13.0-32-generic): Problem reproduced
> 
> For each of these examples, what is the value of the kernel command line
> "audit=<value>" if it is even present?  It is possible that the CentOS
> examples include "audit=1" while Ubuntu omits the line.  "cat
> /proc/cmdline" should tell you the answer.
> 
>> After all, Ubuntu family are affected by the issue and I could confirm
>> that results are inconsistent across two different distribution
>> families. 
> 
> I would be curious what your results are with a recent Debian and with a
> recent Fedora.
> 
>> If you can let us know how can we workaround the issue, it will be a great help.
>> 
>> Regards, Kangkook
>> 
>> 
>>> On Sep 9, 2015, at 11:50 PM, Kangkook Jee <aixer77 at gmail.com> wrote:
>>> 
>>> Dear all,
>>> 
>>> We are developing custom user space audit agent to gather system wide system
>>> call trace. While experimenting with various programs, we found out that
>>> processes (daemons) that started early (along with the system bootstrapping) do
>>> not report any audit events at all. These processes typically fall into PID
>>> range of less than 2000. Here’s how I reproduced the symptom with sshd daemon.
>>> 
>>> 1. Reboot the system
>>> 
>>> 2. Add and enable audit events
>>>   # /sbin/auditctl -a exit,always -F arch=b64 -S clone -S close -S creat -S dup
>>>          -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S open -S openat 
>>>          -S unlink -S unlinkat -S vfork -S 288 -S accept -S bind -S connect 
>>>          -S listen -S socket -S socketpair
>>>   # /sbin/auditctl -e1 -b 102400
>>> 
>>> 3. Connect to the system via ssh
>>>    Audit messages generated only from child processes and none are seen from
>>>    the original daemon.
>>> 
>>> 4. Restart sshd 
>>>    # restart ssh
>>> 
>>> 5. Connect again to the system via ssh
>>>   Now, we see audit messages from both parent and child processes.
>>> 
>>> I did the experiment from Ubuntu 14.04.2 LTS distribution (64-bit, kernel
>>> version 3.13.0-58-generic).
>>> 
>>> I first wonder whether this is intended behavior of audit framework or
>>> not. If it is intended, I also want to know how can we configure auditd
>>> differently to capture system calls from all processes. 
>>> 
>>> Thanks a lot for your help in advance!
>>> 
>>> Regards, Kangkook
>>> 
>> 
> 
>> --
>> Linux-audit mailing list
>> Linux-audit at redhat.com <mailto:Linux-audit at redhat.com>
>> https://www.redhat.com/mailman/listinfo/linux-audit <https://www.redhat.com/mailman/listinfo/linux-audit>
> 
> 
> - RGB
> 
> --
> Richard Guy Briggs <rbriggs at redhat.com <mailto:rbriggs at redhat.com>>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150911/eddc885e/attachment.htm>

More information about the Linux-audit mailing list