From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Unhelpful events
Date: Mon, 07 Jun 2021 14:38:57 -0400 [thread overview]
Message-ID: <3112762.aeNJFYEL58@x2> (raw)
In-Reply-To: <20210607174249.GX2268484@madcap2.tricolour.ca>
On Monday, June 7, 2021 1:42:49 PM EDT Richard Guy Briggs wrote:
> On 2021-06-07 11:32, Steve Grubb wrote:
> > Hello,
> >
> > While patching up the event normalizer, I run across these events which
> > really have no useful information:
> >
> > type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD
> >
> > type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948
>
> Fedora? "-a task,never"?
Nope. It is event #4. Does this even need to be sent? A TIME_INJOFFSET with
no supporting info is not helpful.
> I assume ghak120 should be present in what you are using by now (v5.11)?
5.12.8
> https://github.com/linux-audit/audit-kernel/issues/120
> "BUG: accompanying records missing for requried records when no rules
> present"
There is no syscall anywhere near this:
type=SERVICE_STOP msg=audit(06/06/2021 08:44:53.922:973) : pid=1 uid=root
auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=systemd-
hostnamed comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=?
terminal=? res=success'
----
type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:974) : table=nat
family=bridge entries=0 op=xt_unregister pid=5833
subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
----
type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:975) : table=broute
family=bridge entries=0 op=xt_unregister pid=5833
subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
----
type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
family=bridge entries=0 op=xt_unregister pid=5833
subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
> > type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
> > family=bridge entries=0 op=xt_unregister pid=5833
> > subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
> This is as complete as this event is going to get. It is a kernel
> event, reaping an unused table after a timeout. See
> https://github.com/linux-audit/audit-kernel/issues/25
auid=-1 ses=-1 was it successful?
Was the BPF event succesful? Is there the equivalent of a task struct for BPF
programs that tells anything about who it belonged to?
-Steve
> > Either their syscall record is missing or they simply do not have all the
> > necessary information. (Subject, action, object, results)
> >
> > -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-06-07 18:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-07 15:32 Unhelpful events Steve Grubb
2021-06-07 17:42 ` Richard Guy Briggs
2021-06-07 18:38 ` Steve Grubb [this message]
2021-06-07 19:22 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3112762.aeNJFYEL58@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.