linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

Q: can't add rules using '-a task,always -S fork' #134

Closed DeepseaXX closed 2 years ago

DeepseaXX commented 2 years ago

I'm trying to add a rule to auditing 'fork' syscall. I read the docs and tryed to write like: sudo auditctl -a task,always -F arch=b64 -S fork -F uid=1000 And it showed: Error: syscall auditing being added to task list

I know that '-a task' is for fork and clone syscall, but I can not found any example that actually using it. Maybe i don't need to write'-F uid=1000', or maybe I missed something important. Roughly I tried a lot but I can't add a proper rule.

I am using 'Linux ubuntu 5.11.0-40-generic #44~20.04.2-Ubuntu SMP Tue Oct 26 18:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux'

rgbriggs commented 2 years ago

On 2021-12-01 14:13, DeepseaXX wrote:

I'm trying to add a rule to auditing 'fork' syscall. I read the docs and tryed to write like: sudo auditctl -a task,always -F arch=b64 -S fork -F uid=1000 And it showed: Error: syscall auditing being added to task list

Syscalls are not valid on the task list. You may want the exit list. The task list can only match against subject credentials or task pid and is only applied at the time of fork or clone to determine if that task will be auditted.

DeepseaXX commented 2 years ago

I have tried sudo auditctl -a always,exit -F arch=b64 -S fork When I add this rule, no error shows, but also no log remained when I checked by sudo aureport -s -i --summary I cannot figure out any ways to audit syscall fork. If there are any way to approch, I will be greatly appreciate...

pcmoore commented 2 years ago

Most modern Linux distros have a libc which uses the clone(2) or clone3(2) syscalls as a substitute for fork(2). You should be able to verify this with the "strace" command.

hillu commented 2 years ago

auditctl -a always,exit -F arch=b64 -S fork,vfork,clone works, but it seems to only log the exit taken in the parent, not in the child. Shouldn't there be another entry for the child where at least ppid, pid, and exit have different values?

pcmoore commented 2 years ago

Hi @hillu,

This is a different issue than what was reported originally, in the future it's best to create a new issue in this case, especially when the original issue is closed.

What you are describing is the expected behavior as only the parent process executes the fork(), clone(), etc. syscall. If the child also executed a fork() then every call to fork() would result in an uncontrolled fork bomb :)

hillu commented 2 years ago

I must have misunderstood the discussion so far. Sorry for the noise.