Auditd misses accept syscalls from sshd
Nathan Cooprider
ncooprider at yankeehacker.com
Fri Dec 2 20:43:46 UTC 2016
Auditd seems to miss accept syscalls from ssh on Ubuntu 14. I tried
versions 2.3.2 and 2.4.5 of the daemon with kernel versions 3.13.0-96 and
4.4.0-47. In all cases the accept syscall (43) failed to show up until
after I restarted the ssh daemon. It's especially weird because I don't see
this problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am seeing
this or where to look?
I found a similar question in the archives, but it seems to do with the
architecture size and not OS versions:
https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
I also posted this question on Stack Overflow:
http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-have-inconsistent-behavior-in-linux-audit-framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20161202/e592dfb9/attachment.htm>
More information about the Linux-audit
mailing list