On Sat, 2007-07-28 at 00:06 +0200, Peter Zijlstra wrote: > On Fri, 2007-07-27 at 23:55 +0200, Peter Zijlstra wrote: > > On Fri, 2007-07-27 at 16:57 -0400, Steve Grubb wrote: > > > > > I don't know of anything special its a fully updated rawhide machine. I > > > am not > > > running any tests, this is at the prompt in runlevel 3. I have audit=1 as > > > a > > > boot parameter in grub.conf and very simple audit rules for that machine: > > > > > > -D > > > -b 256 > > > -a exit,always -S sethostname > > > -w /etc/selinux/config > > > > > > which is not exotic.
[EMAIL PROTECTED] ~]# auditctl -D No rules [EMAIL PROTECTED] ~]# auditctl -b 256 AUDIT_STATUS: enabled=0 flag=1 pid=0 rate_limit=0 backlog_limit=256 lost=0 backlog=0 [EMAIL PROTECTED] ~]# auditctl -a exit,always -S sethostname [EMAIL PROTECTED] ~]# auditctl -w /etc/selinux/config [EMAIL PROTECTED] ~]# man auditd [EMAIL PROTECTED] ~]# auditd -f Config file /etc/audit/auditd.conf opened for parsing log_file_parser called with: /var/log/audit/audit.log log_format_parser called with: RAW priority_boost_parser called with: 3 flush_parser called with: INCREMENTAL freq_parser called with: 20 num_logs_parser called with: 4 dispatch_parser called with: /sbin/audispd qos_parser called with: lossy max_log_size_parser called with: 5 max_log_size_action_parser called with: ROTATE space_left_parser called with: 75 space_action_parser called with: SYSLOG action_mail_acct_parser called with: root admin_space_left_parser called with: 50 admin_space_left_action_parser called with: SUSPEND disk_full_action_parser called with: SUSPEND disk_error_action_parser called with: SUSPEND Started dispatcher: /sbin/audispd pid: 3375 type=DAEMON_START msg=audit(1185574384.343:9448) auditd start, ver=1.5.3, format=raw, auid=4294967295 pid=3373 res=success, auditd pid=3373 config_manager init complete Init complete, auditd 1.5.3 listening for events type=CONFIG_CHANGE msg=audit(1185574384.450:6): audit_enabled=1 old=0 by auid=4294967295 res=1 type=SYSCALL msg=audit(1185574406.346:7): arch=c000003e syscall=2 success=yes exit=3 a0=2ba34c4f61f6 a1=0 a2=1b6 a3=0 items=1 ppid=2903 pid=3376 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" key=(null) type=CWD msg=audit(1185574406.346:7): cwd="/" type=PATH msg=audit(1185574406.346:7): item=0 name="/etc/selinux/config" inode=19989869 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=USER_ACCT msg=audit(1185574406.528:8): user pid=3376 uid=0 auid=4294967295 msg='PAM: accounting acct=root : exe="/usr/sbin/sshd" (hostname=192.168.0.32, addr=192.168.0.32, terminal=ssh res=success)' ... ----------- when I pressed ctrl-c to try -a exit,always -S execve I found this on my serial console: ----------- Kernel 2.6.23-rc1 on an x86_64 opteron.programming.kicks-ass.net login: [ 75.452053] audit(1185574293.834:2): audit_backlog_limit=256 old=64 by auid=4294967295 res=1 [ 120.237812] audit(1185574338.691:3): auid=4294967295 op=add rule key=(null) list=4 res=1 [ 149.512552] audit(1185574368.012:4): auid=4294967295 op=add rule key=(null) list=4 res=1 [ 165.816721] audit(1185574384.343:5): audit_pid=3373 old=0 by auid=4294967295 [ 465.113754] Unable to handle kernel NULL pointer dereference at 0000000000000484 RIP: [ 465.119212] [<ffffffff802785fc>] __audit_signal_info+0x3c/0x150 [ 465.127628] PGD 79f32067 PUD 0 [ 465.130772] Oops: 0000 [1] PREEMPT SMP [ 465.134614] CPU 1 [ 465.136622] Modules linked in: nfsd exportfs autofs4 binfmt_misc ext2 sbs fan d ock container battery ac nvram loop evbug evdev thermal psmouse i2c_piix4 processo r button i2c_core sr_mod cdrom sg shpchp pci_hotplug sd_mod ext3 jbd mbcache ehci_ hcd ohci_hcd uhci_hcd usbcore [ 465.160924] Pid: 3151, comm: sshd Not tainted 2.6.23-rc1 #8 [ 465.166465] RIP: 0010:[<ffffffff802785fc>] [<ffffffff802785fc>] __audit_signal_info+0x3c/0x150 [ 465.175128] RSP: 0018:ffff8100731e5be8 EFLAGS: 00010202 [ 465.180408] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8100718b0000 [ 465.187503] RDX: 0000000000000001 RSI: ffff810068614000 RDI: 0000000000000002 [ 465.194600] RBP: ffff8100731e5bf8 R08: 0000000000000001 R09: 0000000000000000 [ 465.201697] R10: 0000000000000001 R11: 0000000000000001 R12: ffff810068614000 [ 465.208792] R13: ffff810068614000 R14: 0000000000000001 R15: ffff810074e77000 [ 465.215888] FS: 00002b8c2dc90870(0000) GS:ffff810001102380(0000) knlGS:0000000000000000 [ 465.223935] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 465.229649] CR2: 0000000000000484 CR3: 0000000037cfc000 CR4: 00000000000006e0 [ 465.236745] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 465.243841] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 465.250936] Process sshd (pid: 3151, threadinfo ffff8100731e4000, task ffff8100718b0000) [ 465.258983] Stack: 0000000000000001 0000000000000002 ffff8100731e5c28 ffffffff80247788 [ 465.266993] 0000000000200200 ffff810068614218 0000000000000002 ffff810068614000 [ 465.274388] ffff8100731e5c68 ffffffff80248bb6 ffff8100731e5c78 0000000000000246 [ 465.281599] Call Trace: [ 465.284215] [<ffffffff80247788>] check_kill_permission+0x88/0x160 [ 465.290362] [<ffffffff80248bb6>] group_send_sig_info+0x26/0x90 [ 465.296249] [<ffffffff80248eca>] __kill_pgrp_info+0x3a/0x70 [ 465.301877] [<ffffffff80248f37>] kill_pgrp_info+0x37/0x60 [ 465.307332] [<ffffffff80248f78>] kill_pgrp+0x18/0x20 [ 465.312355] [<ffffffff803a31ce>] n_tty_receive_buf+0x76e/0x1010 [ 465.318331] [<ffffffff80423ffc>] sock_aio_read+0x14c/0x160 [ 465.323874] [<ffffffff8025a0d6>] get_lock_stats+0x16/0x60 [ 465.329328] [<ffffffff8025a12e>] put_lock_stats+0xe/0x40 [ 465.334696] [<ffffffff8025a1c3>] lock_release_holdtime+0x63/0x80 [ 465.340756] [<ffffffff802535a9>] add_wait_queue+0x49/0x60 [ 465.346213] [<ffffffff803a537c>] pty_write+0x4c/0x60 [ 465.351238] [<ffffffff803a2935>] write_chan+0x255/0x380 [ 465.356521] [<ffffffff80233f80>] default_wake_function+0x0/0x10 [ 465.362496] [<ffffffff8039fca9>] tty_write+0x199/0x250 [ 465.367690] [<ffffffff803a26e0>] write_chan+0x0/0x380 [ 465.372800] [<ffffffff802ae0a4>] vfs_write+0xe4/0x190 [ 465.377910] [<ffffffff802ae770>] sys_write+0x50/0x90 [ 465.382933] [<ffffffff8020c1be>] system_call+0x7e/0x83 [ 465.388131] [ 465.389610] [ 465.389610] Code: 8b 83 84 04 00 00 85 c0 74 53 48 8b 83 48 04 00 00 48 85 c0 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
