Auditd misses accept syscalls from sshd
Paul Moore
paul at paul-moore.com
Fri Dec 2 21:26:29 UTC 2016
On Fri, Dec 2, 2016 at 3:43 PM, Nathan Cooprider
<ncooprider at yankeehacker.com> wrote:
> Auditd seems to miss accept syscalls from ssh on Ubuntu 14. I tried versions
> 2.3.2 and 2.4.5 of the daemon with kernel versions 3.13.0-96 and 4.4.0-47.
> In all cases the accept syscall (43) failed to show up until after I
> restarted the ssh daemon. It's especially weird because I don't see this
> problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am seeing this or
> where to look?
>
> I found a similar question in the archives, but it seems to do with the
> architecture size and not OS versions:
> https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
>
> I also posted this question on Stack Overflow:
> http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-have-inconsistent-behavior-in-linux-audit-framework
I'm not really very aware of what Ubuntu is doing wrt to their default
audit configuration, but this really sounds like you need to add
'audit=1' to the kernel command line.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list