* Unhelpful events @ 2021-06-07 15:32 Steve Grubb 2021-06-07 17:42 ` Richard Guy Briggs 0 siblings, 1 reply; 4+ messages in thread From: Steve Grubb @ 2021-06-07 15:32 UTC (permalink / raw) To: linux-audit Hello, While patching up the event normalizer, I run across these events which really have no useful information: type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948 type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter family=bridge entries=0 op=xt_unregister pid=5833 subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3 Either their syscall record is missing or they simply do not have all the necessary information. (Subject, action, object, results) -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unhelpful events 2021-06-07 15:32 Unhelpful events Steve Grubb @ 2021-06-07 17:42 ` Richard Guy Briggs 2021-06-07 18:38 ` Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: Richard Guy Briggs @ 2021-06-07 17:42 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On 2021-06-07 11:32, Steve Grubb wrote: > Hello, > > While patching up the event normalizer, I run across these events which > really have no useful information: > > type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD > > type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948 Fedora? "-a task,never"? I assume ghak120 should be present in what you are using by now (v5.11)? https://github.com/linux-audit/audit-kernel/issues/120 "BUG: accompanying records missing for requried records when no rules present" > type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter > family=bridge entries=0 op=xt_unregister pid=5833 > subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3 This is as complete as this event is going to get. It is a kernel event, reaping an unused table after a timeout. See https://github.com/linux-audit/audit-kernel/issues/25 > Either their syscall record is missing or they simply do not have all the > necessary information. (Subject, action, object, results) > > -Steve - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unhelpful events 2021-06-07 17:42 ` Richard Guy Briggs @ 2021-06-07 18:38 ` Steve Grubb 2021-06-07 19:22 ` Richard Guy Briggs 0 siblings, 1 reply; 4+ messages in thread From: Steve Grubb @ 2021-06-07 18:38 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: linux-audit On Monday, June 7, 2021 1:42:49 PM EDT Richard Guy Briggs wrote: > On 2021-06-07 11:32, Steve Grubb wrote: > > Hello, > > > > While patching up the event normalizer, I run across these events which > > really have no useful information: > > > > type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD > > > > type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948 > > Fedora? "-a task,never"? Nope. It is event #4. Does this even need to be sent? A TIME_INJOFFSET with no supporting info is not helpful. > I assume ghak120 should be present in what you are using by now (v5.11)? 5.12.8 > https://github.com/linux-audit/audit-kernel/issues/120 > "BUG: accompanying records missing for requried records when no rules > present" There is no syscall anywhere near this: type=SERVICE_STOP msg=audit(06/06/2021 08:44:53.922:973) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=systemd- hostnamed comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success' ---- type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:974) : table=nat family=bridge entries=0 op=xt_unregister pid=5833 subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3 ---- type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:975) : table=broute family=bridge entries=0 op=xt_unregister pid=5833 subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3 ---- type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter family=bridge entries=0 op=xt_unregister pid=5833 subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3 > > type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter > > family=bridge entries=0 op=xt_unregister pid=5833 > > subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3 > This is as complete as this event is going to get. It is a kernel > event, reaping an unused table after a timeout. See > https://github.com/linux-audit/audit-kernel/issues/25 auid=-1 ses=-1 was it successful? Was the BPF event succesful? Is there the equivalent of a task struct for BPF programs that tells anything about who it belonged to? -Steve > > Either their syscall record is missing or they simply do not have all the > > necessary information. (Subject, action, object, results) > > > > -Steve > > - RGB > > -- > Richard Guy Briggs <rgb@redhat.com> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unhelpful events 2021-06-07 18:38 ` Steve Grubb @ 2021-06-07 19:22 ` Richard Guy Briggs 0 siblings, 0 replies; 4+ messages in thread From: Richard Guy Briggs @ 2021-06-07 19:22 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On 2021-06-07 14:38, Steve Grubb wrote: > On Monday, June 7, 2021 1:42:49 PM EDT Richard Guy Briggs wrote: > > On 2021-06-07 11:32, Steve Grubb wrote: > > > Hello, > > > > > > While patching up the event normalizer, I run across these events which > > > really have no useful information: > > > > > > type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD > > > > > > type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948 > > > > Fedora? "-a task,never"? > > Nope. It is event #4. Does this even need to be sent? A TIME_INJOFFSET with > no supporting info is not helpful. I'm guessing that matching op=LOAD was done by systemd/init PID=1. > > I assume ghak120 should be present in what you are using by now (v5.11)? > > 5.12.8 Ok, that rules out that possibility. > > https://github.com/linux-audit/audit-kernel/issues/120 > > "BUG: accompanying records missing for requried records when no rules > > present" > > There is no syscall anywhere near this: > > type=SERVICE_STOP msg=audit(06/06/2021 08:44:53.922:973) : pid=1 uid=root > auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=systemd- > hostnamed comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? > terminal=? res=success' > ---- > type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:974) : table=nat > family=bridge entries=0 op=xt_unregister pid=5833 > subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3 > ---- > type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:975) : table=broute > family=bridge entries=0 op=xt_unregister pid=5833 > subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3 > ---- > type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter > family=bridge entries=0 op=xt_unregister pid=5833 > subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3 These three would have been preceeded by an op=xt_register event that may not have been logged up to 30 seconds earlier. > > > type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter > > > family=bridge entries=0 op=xt_unregister pid=5833 > > > subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3 > > > This is as complete as this event is going to get. It is a kernel > > event, reaping an unused table after a timeout. See > > https://github.com/linux-audit/audit-kernel/issues/25 > > auid=-1 ses=-1 was it successful? Sounds like it needs a "success" field that will be a duplicate of the same field when a SYSCALL record is present. I have also seen a NETFILTER_CFG op=xt_register (event#5) that was systemd/init PID=1 or a hard-linked kernel module (rather than loadable initiated by userspace) that was kernel-initiated. > Was the BPF event succesful? Is there the equivalent of a task struct for BPF > programs that tells anything about who it belonged to? The BPF unload events appear to be in the same situation as the type=NETFILTER_CFG op=xt_unregister events, kernel-initiated, matched with an op=LOAD event by prog-id= field with full details. Perhaps it also needs pid= subj= comm= and success= fields. > -Steve > > > > Either their syscall record is missing or they simply do not have all the > > > necessary information. (Subject, action, object, results) > > > > > > -Steve > > > > - RGB - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-07 19:23 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-07 15:32 Unhelpful events Steve Grubb 2021-06-07 17:42 ` Richard Guy Briggs 2021-06-07 18:38 ` Steve Grubb 2021-06-07 19:22 ` Richard Guy Briggs
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).