* Unhelpful events
@ 2021-06-07 15:32 Steve Grubb
2021-06-07 17:42 ` Richard Guy Briggs
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2021-06-07 15:32 UTC (permalink / raw)
To: linux-audit
Hello,
While patching up the event normalizer, I run across these events which
really have no useful information:
type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD
type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948
type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
family=bridge entries=0 op=xt_unregister pid=5833
subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
Either their syscall record is missing or they simply do not have all the
necessary information. (Subject, action, object, results)
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unhelpful events
2021-06-07 15:32 Unhelpful events Steve Grubb
@ 2021-06-07 17:42 ` Richard Guy Briggs
2021-06-07 18:38 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Richard Guy Briggs @ 2021-06-07 17:42 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On 2021-06-07 11:32, Steve Grubb wrote:
> Hello,
>
> While patching up the event normalizer, I run across these events which
> really have no useful information:
>
> type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD
>
> type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948
Fedora? "-a task,never"?
I assume ghak120 should be present in what you are using by now (v5.11)?
https://github.com/linux-audit/audit-kernel/issues/120
"BUG: accompanying records missing for requried records when no rules present"
> type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
> family=bridge entries=0 op=xt_unregister pid=5833
> subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
This is as complete as this event is going to get. It is a kernel
event, reaping an unused table after a timeout. See
https://github.com/linux-audit/audit-kernel/issues/25
> Either their syscall record is missing or they simply do not have all the
> necessary information. (Subject, action, object, results)
>
> -Steve
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unhelpful events
2021-06-07 17:42 ` Richard Guy Briggs
@ 2021-06-07 18:38 ` Steve Grubb
2021-06-07 19:22 ` Richard Guy Briggs
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2021-06-07 18:38 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit
On Monday, June 7, 2021 1:42:49 PM EDT Richard Guy Briggs wrote:
> On 2021-06-07 11:32, Steve Grubb wrote:
> > Hello,
> >
> > While patching up the event normalizer, I run across these events which
> > really have no useful information:
> >
> > type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD
> >
> > type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948
>
> Fedora? "-a task,never"?
Nope. It is event #4. Does this even need to be sent? A TIME_INJOFFSET with
no supporting info is not helpful.
> I assume ghak120 should be present in what you are using by now (v5.11)?
5.12.8
> https://github.com/linux-audit/audit-kernel/issues/120
> "BUG: accompanying records missing for requried records when no rules
> present"
There is no syscall anywhere near this:
type=SERVICE_STOP msg=audit(06/06/2021 08:44:53.922:973) : pid=1 uid=root
auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=systemd-
hostnamed comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=?
terminal=? res=success'
----
type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:974) : table=nat
family=bridge entries=0 op=xt_unregister pid=5833
subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
----
type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:975) : table=broute
family=bridge entries=0 op=xt_unregister pid=5833
subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
----
type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
family=bridge entries=0 op=xt_unregister pid=5833
subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
> > type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
> > family=bridge entries=0 op=xt_unregister pid=5833
> > subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
> This is as complete as this event is going to get. It is a kernel
> event, reaping an unused table after a timeout. See
> https://github.com/linux-audit/audit-kernel/issues/25
auid=-1 ses=-1 was it successful?
Was the BPF event succesful? Is there the equivalent of a task struct for BPF
programs that tells anything about who it belonged to?
-Steve
> > Either their syscall record is missing or they simply do not have all the
> > necessary information. (Subject, action, object, results)
> >
> > -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unhelpful events
2021-06-07 18:38 ` Steve Grubb
@ 2021-06-07 19:22 ` Richard Guy Briggs
0 siblings, 0 replies; 4+ messages in thread
From: Richard Guy Briggs @ 2021-06-07 19:22 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On 2021-06-07 14:38, Steve Grubb wrote:
> On Monday, June 7, 2021 1:42:49 PM EDT Richard Guy Briggs wrote:
> > On 2021-06-07 11:32, Steve Grubb wrote:
> > > Hello,
> > >
> > > While patching up the event normalizer, I run across these events which
> > > really have no useful information:
> > >
> > > type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD
> > >
> > > type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948
> >
> > Fedora? "-a task,never"?
>
> Nope. It is event #4. Does this even need to be sent? A TIME_INJOFFSET with
> no supporting info is not helpful.
I'm guessing that matching op=LOAD was done by systemd/init PID=1.
> > I assume ghak120 should be present in what you are using by now (v5.11)?
>
> 5.12.8
Ok, that rules out that possibility.
> > https://github.com/linux-audit/audit-kernel/issues/120
> > "BUG: accompanying records missing for requried records when no rules
> > present"
>
> There is no syscall anywhere near this:
>
> type=SERVICE_STOP msg=audit(06/06/2021 08:44:53.922:973) : pid=1 uid=root
> auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=systemd-
> hostnamed comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=?
> terminal=? res=success'
> ----
> type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:974) : table=nat
> family=bridge entries=0 op=xt_unregister pid=5833
> subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
> ----
> type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:975) : table=broute
> family=bridge entries=0 op=xt_unregister pid=5833
> subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
> ----
> type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
> family=bridge entries=0 op=xt_unregister pid=5833
> subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
These three would have been preceeded by an op=xt_register event that
may not have been logged up to 30 seconds earlier.
> > > type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
> > > family=bridge entries=0 op=xt_unregister pid=5833
> > > subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
>
> > This is as complete as this event is going to get. It is a kernel
> > event, reaping an unused table after a timeout. See
> > https://github.com/linux-audit/audit-kernel/issues/25
>
> auid=-1 ses=-1 was it successful?
Sounds like it needs a "success" field that will be a duplicate of the
same field when a SYSCALL record is present.
I have also seen a NETFILTER_CFG op=xt_register (event#5) that was
systemd/init PID=1 or a hard-linked kernel module (rather than loadable
initiated by userspace) that was kernel-initiated.
> Was the BPF event succesful? Is there the equivalent of a task struct for BPF
> programs that tells anything about who it belonged to?
The BPF unload events appear to be in the same situation as the
type=NETFILTER_CFG op=xt_unregister events, kernel-initiated, matched
with an op=LOAD event by prog-id= field with full details. Perhaps it
also needs pid= subj= comm= and success= fields.
> -Steve
>
> > > Either their syscall record is missing or they simply do not have all the
> > > necessary information. (Subject, action, object, results)
> > >
> > > -Steve
> >
> > - RGB
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-07 19:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-07 15:32 Unhelpful events Steve Grubb
2021-06-07 17:42 ` Richard Guy Briggs
2021-06-07 18:38 ` Steve Grubb
2021-06-07 19:22 ` Richard Guy Briggs
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).