查看问题详情

跳转到注释跳转到历史
编号项目分类查看权限报告日期最后更新
0000475Anolis OS 8kernelpublic2021-11-04 14:102021-12-14 13:08
报告员anolis_account 分派给geliwei-ali  
优先级high严重性major出现频率always
状态 resolved处理状况fixed 
平台龙芯操作系统Anolis OS操作系统版本Anolis OS 8.4
标题0000475: [Anolis OS 8.4][loongarch64]auditctl添加规则记录系统调用,audit日志无记录
描述在auditd服务running的前提下,通过auditctl添加规则记录系统调用(如chdir,其他系统调用也一样),执行相应系统调用后,检查audit日志,无相关记录
# uname -a
Linux localhost.localdomain 4.19.190-2.1.an8.loongarch64 #1 SMP Tue Sep 28 06:19:17 UTC 2021 loongarch64 loongarch64 loongarch64 GNU/Linux
# rpm -qa|grep audit
audit-libs-3.0-0.17.20191104git1c2f876.el8.loongarch64
python3-audit-3.0-0.17.20191104git1c2f876.el8.loongarch64
audit-3.0-0.17.20191104git1c2f876.el8.loongarch64
问题重现步骤1.启动auditd服务,
service auditd start
# service auditd status
Redirecting to /bin/systemctl status auditd.service
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; vendor preset: d>
   Active: active (running) since Thu 2021-11-04 01:57:16 EDT; 2s ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 2310 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 2306 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 2307 (auditd)
    Tasks: 2 (limit: 103012)
   Memory: 4.1M
   CGroup: /system.slice/auditd.service
           └─2307 /sbin/auditd

2.查找系统调用规则号,如chdir系统调用,查询到为49
# grep chdir /usr/include/asm-generic/unistd.h
#define __NR_chdir 49
__SYSCALL(__NR_chdir, sys_chdir)
#define __NR_fchdir 50
__SYSCALL(__NR_fchdir, sys_fchdir)
3,增加审计规则记录chdir系统调用
# auditctl -a always,exit -F arch=aarch64 -S 49
[root@localhost ~]# auditctl -l
-a always,exit -F arch=b64 -S chdir

4.调用chdir系统调用
cd /tmp
5.检查/var/log/audit/目录下的日志,预期有chdir系统调用日志,但实际结果没有,即使等待一段时间仍然没有
grep -nri chdir /var/log/audit/

注:audit日志是可以记录的,su -test1 之后,可以看到su的日志
# su - test1
[test1@localhost ~]$ exit
# grep -nri su /var/log/audit/
/var/log/audit/audit.log:12:type=CRED_DISP msg=audit(1636005561.090:13): pid=2355 uid=0 auid=0 ses=6 msg='op=PAM:setcred grantors=pam_rootok acct="test1" exe="/usr/bin/su" hostname=localhost.localdomain addr=? terminal=pts/2 res=success'UID="root" AUID="root"
标签没加标签.

活动

geliwei-ali

2021-11-16 19:05

经理   ~0000717

image.png (79,520 字节)   
image.png (79,520 字节)   

geliwei-ali

2021-11-16 19:06

经理   ~0000718

测试步骤里用的是aarch64, 我改成loongarch64遇到不能识别平台的问题,需要进一步调查

anolis_account

2021-11-17 11:41

报告者   ~0000734

最新版本已解决
# auditctl -a always,exit -F arch=loongarch64 -S chdir
[root@localhost ~]# auditctl -l
-a always,exit -F arch=b64 -S chdir
[root@localhost ~]# cd /tmp
[root@localhost tmp]# grep -nri chdir /var/log/audit/ |tail -1
/var/log/audit/audit.log:239:type=SYSCALL msg=audit(1637120424.572:1409): arch=c0000102 syscall=49 success=yes exit=0 a0=aab1b4ddc0 a1=aab1b4e290 a2=0 a3=7f7f7f7f7f7f7f7f items=1 ppid=605001 pid=605002 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=72 comm="bash" exe="/usr/bin/bash" key=(null)ARCH=loongarch64 SYSCALL=chdir AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

问题历史

日期 用户名 字段 更改
2021-11-04 14:10 anolis_account 新建问题
2021-11-05 10:15 jacobwang 分派给 => LoongsonHFD
2021-11-05 10:15 jacobwang 状态 新建 => 已分配
2021-11-05 10:31 jacobwang 分派给 LoongsonHFD => geliwei-ali
2021-11-16 19:05 geliwei-ali 注释已添加: 0000717
2021-11-16 19:05 geliwei-ali 添加了以下文件:: image.png
2021-11-16 19:06 geliwei-ali 注释已添加: 0000718
2021-11-17 11:41 anolis_account 注释已添加: 0000734
2021-12-14 13:08 geliwei-ali 状态 已分配 => 已解决
2021-12-14 13:08 geliwei-ali 处理状况 未处理 => 已修正