Hi all, I debugged a bit further to identify distributions that are affected by the issue. I repeated the same experiment with sshd from 3 more distributions.
CentOS Linux release 7.1.1503 (64-bit, 3.10.0-229.el7.x86_64): Problem NOT reproduced CentOS release 6.6 (64-bit, 2.6.32-504.el6.x86_64): Problem NOT reproduced Ubuntu 12.04.5 LTS (64-bit, 3.13.0-32-generic): Problem reproduced After all, Ubuntu family are affected by the issue and I could confirm that results are inconsistent across two different distribution families. If you can let us know how can we workaround the issue, it will be a great help. Regards, Kangkook > On Sep 9, 2015, at 11:50 PM, Kangkook Jee <[email protected]> wrote: > > Dear all, > > We are developing custom user space audit agent to gather system wide system > call trace. While experimenting with various programs, we found out that > processes (daemons) that started early (along with the system bootstrapping) > do > not report any audit events at all. These processes typically fall into PID > range of less than 2000. Here’s how I reproduced the symptom with sshd daemon. > > 1. Reboot the system > > 2. Add and enable audit events > # /sbin/auditctl -a exit,always -F arch=b64 -S clone -S close -S creat -S > dup > -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S open -S > openat > -S unlink -S unlinkat -S vfork -S 288 -S accept -S bind -S connect > -S listen -S socket -S socketpair > # /sbin/auditctl -e1 -b 102400 > > 3. Connect to the system via ssh > Audit messages generated only from child processes and none are seen from > the original daemon. > > 4. Restart sshd > # restart ssh > > 5. Connect again to the system via ssh > Now, we see audit messages from both parent and child processes. > > I did the experiment from Ubuntu 14.04.2 LTS distribution (64-bit, kernel > version 3.13.0-58-generic). > > I first wonder whether this is intended behavior of audit framework or > not. If it is intended, I also want to know how can we configure auditd > differently to capture system calls from all processes. > > Thanks a lot for your help in advance! > > Regards, Kangkook >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
