Auditd misses accept syscalls from sshd
Steve Grubb
sgrubb at redhat.com
Mon Dec 5 22:44:06 UTC 2016
On Monday, December 5, 2016 4:42:14 PM EST Nathan Cooprider wrote:
> On Sat, Dec 3, 2016 at 12:47 PM Steve Grubb <sgrubb at redhat.com> wrote:
> > > > Support was not added until 2.5.
> > >
> > > Support for what?
> >
> > Audit by executable. In the example that I gave I showed the syntax for
> > how you would audit accept only for sshd. I presume that you are not
> > auditing accept across the whole system. What rule are you using to audit
> > accept?
>
> Here's what I have:
>
> vagrant at vagrant:~$ uname -a
> Linux vagrant 4.4.0-51-generic #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30
> UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
> vagrant at vagrant:~$ sudo auditctl -l
> No rules
> vagrant at vagrant:~$ sudo auditctl -a exit,always -F arch=b64 -S accept
> vagrant at vagrant:~$ sudo auditctl -l
> LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=accept
>
> For my case, I am auditing accept syscalls across the whole system. I want
> to look for when that syscall occurs in my log and alert on it.
OK. I was thinking that perhaps you had the rule qualified with -F auid>=500 -F
auid!=-1 to detect user originating events and the restart (because its
upstart) would put your auid into sshd's and then you were successful in
auditing. If the above rule is in fact what you are auditing with, and you
have auidit=1 on your grub kernel boot commandline, then I am out of guesses.
Sounds like a problem unique to your kernel since you have found kernels that
work fine.
-Steve
More information about the Linux-audit
mailing list