Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ausearch has stopped interpreting TTY data (between 3.1.2 and 3.1.5) #417

Open
kkantonop opened this issue Dec 5, 2024 · 4 comments
Open

ausearch has stopped interpreting TTY data (between 3.1.2 and 3.1.5) #417

kkantonop opened this issue Dec 5, 2024 · 4 comments

Comments

@kkantonop
Copy link

Hello, I'm facing an issue which I believe is related to ausearch.

Generally I have PAM_TTY audit logging enabled and I'm using ausearch to convert the raw / hex TTY data into a more human readable format.

In a server deployed some time ago, I have ausearch version 3.1.2 and the output is human readable.

# ausearch -m TTY --format interpret
...
----
type=PROCTITLE msg=audit(12/05/2024 15:31:28.039:140477) : proctitle=bash
type=SOCKADDR msg=audit(12/05/2024 15:31:28.039:140477) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
type=SYSCALL msg=audit(12/05/2024 15:31:28.039:140477) : arch=x86_64 syscall=sendto success=yes exit=20 a0=0x3 a1=0x7ffdd12a89e0 a2=0x14 a3=0x0 items=0 ppid=469764 pid=469766 auid=my_user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=160 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=TTY msg=audit(12/05/2024 15:31:28.039:140477) : tty pid=469766 uid=root auid=my_user ses=160 major=136 minor=1 comm=bash data="type something",<ret>
----
type=PROCTITLE msg=audit(12/05/2024 15:31:40.267:140481) : proctitle=bash
type=SOCKADDR msg=audit(12/05/2024 15:31:40.267:140481) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
type=SYSCALL msg=audit(12/05/2024 15:31:40.267:140481) : arch=x86_64 syscall=sendto success=yes exit=52 a0=0x3 a1=0x7ffdd12a89e0 a2=0x34 a3=0x0 items=0 ppid=469764 pid=469766 auid=my_user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=160 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=TTY msg=audit(12/05/2024 15:31:40.267:140481) : tty pid=469766 uid=root auid=my_user ses=160 major=136 minor=1 comm=bash data="ausearch -m TTY --format interpret",<ret>
# ausearch --version
ausearch version 3.1.2
#

In a newly deployed server, where I have version 3.1.5, the TTY data is not interpreted.

# ausearch -m TTY --format interpret
...
----
type=PROCTITLE msg=audit(12/05/2024 15:35:01.946:1675) : proctitle=bash
type=SOCKADDR msg=audit(12/05/2024 15:35:01.946:1675) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
type=SYSCALL msg=audit(12/05/2024 15:35:01.946:1675) : arch=x86_64 syscall=sendto success=yes exit=20 a0=0x3 a1=0x7ffc1c85e5c0 a2=0x14 a3=0x0 items=0 ppid=17552 pid=17554 auid=my_user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=TTY msg=audit(12/05/2024 15:35:01.946:1675) : tty pid=17554 uid=root auid=my_user ses=1 major=136 minor=1 comm=bash data=7479706520736F6D657468696E670D
----
type=PROCTITLE msg=audit(12/05/2024 15:35:17.805:1680) : proctitle=bash
type=SOCKADDR msg=audit(12/05/2024 15:35:17.805:1680) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
type=SYSCALL msg=audit(12/05/2024 15:35:17.805:1680) : arch=x86_64 syscall=sendto success=yes exit=52 a0=0x3 a1=0x7ffc1c85e5c0 a2=0x34 a3=0x0 items=0 ppid=17552 pid=17554 auid=my_user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=TTY msg=audit(12/05/2024 15:35:17.805:1680) : tty pid=17554 uid=root auid=my_user ses=1 major=136 minor=1 comm=bash data=6175736561726368202D6D20545459202D2D666F726D617420696E74747F6572707265740D
# ausearch --version
ausearch version 3.1.5
#

I tried looking at the changes between 3.1.2 and 3.1.5 (link), but I couldn't find something obvious.
I'm wondering if this could be related to commit 381b07b.

I also searched for new flags that I need to pass to ausearch but didn't find something.

Could you please read the above and share your input?

Is this intended behaviour and if so, have I missed any options or flags for ausearch?
@stevegrubb
Copy link
Contributor

The commit mentioned above is scoped to AUDIT_TRUSTED_APP type of records. I'll look at this a little more soon. I can't think of anything changes that could affect it.

@kkantonop
Copy link
Author

Thanks a lot @stevegrubb, I have to admit I'm not familiar with the code base, I saw the commit and I was wondering if the additional check for AUPARSE_TYPE_UNCLASSIFIED type could be related.
Please don't let me mislead you.

Cropi added a commit to Cropi/audit-userspace that referenced this issue Dec 9, 2024
@Cropi
interpret: allow hex digits when interpreting tty data
a9a139e 
Fixes linux-audit#417
@Cropi Cropi mentioned this issue Dec 9, 2024
Open
@Cropi
Copy link
Contributor

Cropi commented Dec 9, 2024

I did a git bisect with a simple interpretation test. It started in dbef8d1 . You might want to check out the proposed fix for #418

@kkantonop
Copy link
Author

Hello @Cropi! thanks a lot for looking into this and providing a fix so quickly!

Is there a release process document that I could read?
I'm interested to understand when do we expect this change to be part of the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stevegrubb @Cropi @kkantonop