Auditd misses accept syscalls from sshd

Fri Dec 2 21:55:17 UTC 2016

On Fri, Dec 2, 2016 at 4:09 PM Steve Grubb <sgrubb at redhat.com> wrote:

> On Friday, December 2, 2016 8:43:46 PM EST Nathan Cooprider wrote:
> > Auditd seems to miss accept syscalls from ssh on Ubuntu 14.
>
> Its not auditd, the kernel does all the work. Auditd acts a lot like a
> specialized syslog.  :-)
>
>
> > I tried versions 2.3.2 and 2.4.5 of the daemon with kernel versions
> > 3.13.0-96 and 4.4.0-47. In all cases the accept syscall (43) failed to
> show
> > up until after I restarted the ssh daemon. It's especially weird because
> I
> > don't see this problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I
> am
> > seeing this or where to look?
>
> It works fine on my 4.8 kernel:
> # uname -r
> 4.8.10-200.fc24.x86_64
>
> # auditctl -a always,exit -F arch=b64 -S accept,accept4 -F
> exe=/usr/sbin/sshd -F key=test
>
> # ssh localhost
> # exit
>
> # ausearch --start recent -k test -i
> ----
> type=CONFIG_CHANGE msg=audit(12/02/2016 15:53:00.297:917) : auid=sgrubb
> ses=5
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule"
> key=test
> list=exit res=yes
> ----
> type=PROCTITLE msg=audit(12/02/2016 15:53:07.287:919) :
> proctitle=/usr/sbin/sshd
> type=SOCKADDR msg=audit(12/02/2016 15:53:07.287:919) : saddr={ fam=inet6
> laddr=::1 lport=52740 }
> type=SYSCALL msg=audit(12/02/2016 15:53:07.287:919) : arch=x86_64
> syscall=accept success=yes exit=5 a0=0x4 a1=0x7ffdd5bd06a0
> a2=0x7ffdd5bd068c
> a3=0x0 items=0 ppid=1 pid=1071 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
> comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> key=test
>
> I don't know if there were any bug fixes that made it start working. I also
> think I was doing some testing on kernels close to when the audit by
> executable code first went upstream and I remember not getting the results
> I
> wanted. I had other things to do and when I came back to it I could not
> replicate the missing events. I had upgraded the kernel in the mean time.
>
> Does using a newer kernel fix it for you?
>
> -Steve
>
> > I found a similar question in the archives, but it seems to do with the
> > architecture size and not OS versions:
> > https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
> >
> > I also posted this question on Stack Overflow:
> >
> http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-hav
> > e-inconsistent-behavior-in-linux-audit-framework
>

 I just tried again and had the same problem:

vagrant at vagrant:~$ uname -a
Linux vagrant 4.4.0-51-generic #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

That's a newer version than I have on my Ubuntu 16 VM, which does
demonstrate the problem. It's also strange that restarting ssh then makes
the accept syscall events show up. Other sshd syscalls show up in auditd
before and after the ssh restart.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20161202/c50b37bb/attachment.htm>