Auditd doesn't receive syscalls after installation for the current shell.

Wed May 24 19:12:16 UTC 2023

On 24.05.2023 17:53, Paul Moore wrote:
> On Wed, May 24, 2023 at 10:46 AM Steve Grubb <sgrubb at redhat.com> wrote:
>> On Wednesday, May 24, 2023 7:37:27 AM EDT Rinat Gadelshin wrote:
>>> Hello there.
>>>
>>> It seems that the kernel doesn't send messages for syscalls of the shell
>>> process from which auditd is installed.
>>>
>>> Reproducing steps (performed on Ubuntu 22.04 x86_64 on virtual box by
>>> `root`):
>>>
>>> step #1: $ apt install auditd
>>> step #2: $ auditctl -a always,exit -F arch=b64 -S openat,renameat2,unlinkat
>>> step #3: $ echo t>delme;echo t2>>delme;cat delme;mv delme d;mv d
>>> delme;rm delme
>>> step #4: $ service auditd stop
>>> step #5: $ ausearch -f delme
>>>
>>> There are syscalls from /usr/bin/cat, /usr/bin/mv, /usr/bin/rm but there
>>> are no any syscalls (openat expected)
>>> for /usr/bin/bash (current shell process) for the file.
>>>
>>> If step #3 is performed from another tty, then openat syscalls
>>> (CREATE for the first echo and NORMAL for the second one)
>>> is logged for the /usr/bin/bash process.
>>>
>>> `uname -a` returns: Linux grin-vb-ubuntu-22-0-4 5.19.0-41-generic
>>> #42~22.04.01-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64
>>> x86_64 x86_64 GNU/Linux
>>>
>>> Should I open an issue for the case at
>>> https://github.com/linux-audit/audit-kernel ?
>> Are you booting with audit=1 ? If not, the install process and any before it
>> are not auditable. You will only get events for processes started after audit
>> enabled = 1.
> It is also worth noting that some distributions (I'm not sure if this
> applies to Ubuntu) effectively limit auditing with their default
> runtime configuration, see the wiki page below for more information:
>
> * https://github.com/linux-audit/audit-documentation/wiki/HOWTO-Fedora-Enable-Auditing
>
Steve, Paul, thank you!
It make the situation completely clear to me =)