Unhelpful events
Richard Guy Briggs
rgb at redhat.com
Mon Jun 7 19:22:43 UTC 2021
On 2021-06-07 14:38, Steve Grubb wrote:
> On Monday, June 7, 2021 1:42:49 PM EDT Richard Guy Briggs wrote:
> > On 2021-06-07 11:32, Steve Grubb wrote:
> > > Hello,
> > >
> > > While patching up the event normalizer, I run across these events which
> > > really have no useful information:
> > >
> > > type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD
> > >
> > > type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948
> >
> > Fedora? "-a task,never"?
>
> Nope. It is event #4. Does this even need to be sent? A TIME_INJOFFSET with
> no supporting info is not helpful.
I'm guessing that matching op=LOAD was done by systemd/init PID=1.
> > I assume ghak120 should be present in what you are using by now (v5.11)?
>
> 5.12.8
Ok, that rules out that possibility.
> > https://github.com/linux-audit/audit-kernel/issues/120
> > "BUG: accompanying records missing for requried records when no rules
> > present"
>
> There is no syscall anywhere near this:
>
> type=SERVICE_STOP msg=audit(06/06/2021 08:44:53.922:973) : pid=1 uid=root
> auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=systemd-
> hostnamed comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=?
> terminal=? res=success'
> ----
> type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:974) : table=nat
> family=bridge entries=0 op=xt_unregister pid=5833
> subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
> ----
> type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:975) : table=broute
> family=bridge entries=0 op=xt_unregister pid=5833
> subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
> ----
> type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
> family=bridge entries=0 op=xt_unregister pid=5833
> subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
These three would have been preceeded by an op=xt_register event that
may not have been logged up to 30 seconds earlier.
> > > type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
> > > family=bridge entries=0 op=xt_unregister pid=5833
> > > subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
>
> > This is as complete as this event is going to get. It is a kernel
> > event, reaping an unused table after a timeout. See
> > https://github.com/linux-audit/audit-kernel/issues/25
>
> auid=-1 ses=-1 was it successful?
Sounds like it needs a "success" field that will be a duplicate of the
same field when a SYSCALL record is present.
I have also seen a NETFILTER_CFG op=xt_register (event#5) that was
systemd/init PID=1 or a hard-linked kernel module (rather than loadable
initiated by userspace) that was kernel-initiated.
> Was the BPF event succesful? Is there the equivalent of a task struct for BPF
> programs that tells anything about who it belonged to?
The BPF unload events appear to be in the same situation as the
type=NETFILTER_CFG op=xt_unregister events, kernel-initiated, matched
with an op=LOAD event by prog-id= field with full details. Perhaps it
also needs pid= subj= comm= and success= fields.
> -Steve
>
> > > Either their syscall record is missing or they simply do not have all the
> > > necessary information. (Subject, action, object, results)
> > >
> > > -Steve
> >
> > - RGB
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list