【标题描述】能够简要描述问题:说明什么场景下,做了什么操作,出现什么问题(尽量使用正向表达方式)
【环境信息】
硬件信息:
1) 裸机场景提供出问题的硬件信息;
2) 虚机场景提供虚机XML文件或者配置信息
[root@hulk-34 bin]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
Address sizes: 46 bits physical, 48 bits virtual
CPU(s): 40
On-line CPU(s) list: 0-39
Thread(s) per core: 2
Core(s) per socket: 10
Socket(s): 2
NUMA node(s): 2
Vendor ID: GenuineIntel
CPU family: 6
Model: 85
Model name: Intel(R) Xeon(R) Silver 4114 CPU @ 2.20GHz
Stepping: 4
软件信息:
1) OS版本及分支
cat /etc/openEuler-release
openEuler release 20.03 (LTS-SP1)
2) 内核信息
4.19.90
3) 发现问题的组件版本信息
如果有特殊组网,请提供网络拓扑图
【问题复现步骤】
具体操作步骤
cd /home/install/kernel_test_bin/bin/security_audit_t/testcases/bin
./auditctl-key-syscall-017.sh
出现概率(是否必现,概率性错误)
【预期结果】
pass
【实际结果】
. conf.sh
++ CONF_PATH=/etc/audit/auditd.conf
++ RULES_PATH=/etc/audit/audit.rules
++ sed -i '/flush/c\flush = DATA' /etc/audit/auditd.conf
+++ cat /etc/audit/auditd.conf
+++ sed 's/ //g'
+++ awk -F = '$1 == "log_file" {printf $2}'
++ LOG_PATH=/var/log/audit/audit.log
++ ARCH=x86_64
++ export V2_GUESTOS_FLAG=false
++ V2_GUESTOS_FLAG=false
++ set_flag
++ echo x-
++ grep 'V2.*-GUESTOS-'
++ '[' 1 -eq 0 ']'
++ '[' xfalse == xtrue ']'
+++ find /etc -name auditd
+++ grep 'init.d'
+++ grep 'auditd$'
++ AUDITD_PATH=
++ DEFAULT_CONF=
++ DEFAULT_RULES=
++ PRE_LOG_PATH=
++ CUR_LOG_PATH=
+++ uname -m
++ '[' '!' -z x86_64 ']'
+++ uname -m
++ ARCH=x86_64
+++ echo x86_64
+++ grep arm
++ '[' '!' -z '' ']'
+++ echo
+++ grep SD5856
++ '[' '!' -z '' ']'
+++ echo
+++ grep ILP32
++ '[' '!' -z '' ']'
+++ echo
+++ grep 32BIT
++ '[' '!' -z '' ']'
+++ echo x86_64
+++ grep ppc
++ '[' '!' -z '' ']'
+++ echo x86_64
+++ grep i686
++ '[' '!' -z '' ']'
++ ARCH=b64
++ uname -m
++ grep x86
x86_64
++ '[' 0 -eq 0 ']'
++ SYS_OPEN=open
++ uname -m
++ grep arm32
++ '[' 1 -eq 0 ']'
++ uname -m
++ grep armv
++ '[' 1 -eq 0 ']'
++ uname -m
++ grep ppc
++ '[' 1 -eq 0 ']'
++ uname -m
++ grep i686
++ '[' 1 -eq 0 ']'
++ uname -m
++ grep aarch64
++ '[' 1 -eq 0 ']'
++ uname -m
++ grep armv7l
++ '[' 1 -eq 0 ']'
++ echo ''
++ echo ''
RET=0
setenv
case $# in
echo 0
0
replace_conf
'[' '!' -z ']'
return 0
'[' 0 -ne 0 ']'
replace_rules
'[' '!' -z ']'
return 0
'[' 0 -ne 0 ']'
test -z /var/log/audit/audit.log
++ grep -w '^log_file' /etc/audit/auditd.conf
++ awk -F= '{print $2}'
++ sed 's/^ +//;s/ +$//'
LOG_PATH=/var/log/audit/audit.log
'[' -e /var/log/audit/audit.log ']'
echo ''
sleep 1
return 0
'[' 0 -ne 0 ']'
do_test
auditd_on
systemctl start auditd
'[' 0 -ne 0 ']'
auditctl -D
No rules
auditctl -e 1
enabled 1
failure 1
pid 2222
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
'[' -L /etc/shadow ']'
++ ls -i /etc/shadow
++ awk '{print $1}'
INODE=18089233
auditctl -a exit,always -F arch=b64 -S open -F inode=18089233 -k sys_open_KEY
'[' 0 -ne 0 ']'
sleep 5
echo ''
cat /etc/shadow
sleep 5
cat /var/log/audit/audit.log
grep -w type=SYSCALL
grep 'syscall=[[:digit:]]'
grep -w 'key="sys_open_KEY"'
'[' 1 -ne 0 ']'
RET=1
cat /var/log/audit/audit.log
grep -w type=PATH
grep -w inode=18089233
'[' 1 -ne 0 ']'
RET=1
return 1
do_clean
echo 'Doing clean ...'
Doing clean ...
'[' -f /etc/audit/auditd.conf.bk ']'
'[' -f .bk ']'
auditctl -D
No rules
echo ''
echo '************** CURRENT LOG *************'
************** CURRENT LOG *************
echo ''
echo ''
cat /var/log/audit/audit.log
echo ''
echo ''
echo '************** END CURRENT LOG ****************'
************** END CURRENT LOG ****************
echo ''
exit 1
结果fail
【附件信息】
比如系统message日志/组件日志、dump信息、图片等
Hey wang_keke, Welcome to openEuler Community.
All of the projects in openEuler Community are maintained by @openeuler-ci-bot.
That means the developers can comment below every pull request or issue to trigger Bot Commands.
Please follow instructions at https://gitee.com/openeuler/community/blob/master/en/sig-infrastructure/command.md to find the details.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
问题现象:auditd添加如下规则:-a exit,always -F arch=b64 -S open -F inode=18089233 -k sys_open_KEY
18089233 对应/etc/shadow文件的inode号,通过cat /etc/shadow没有生成响应的审计日志
定位结论:通过strace跟踪cat命令,发现ci环境为x86_64架构,cat命令所用的系统调用为openat而不是open,所以auditd无法监测到对open的调用任务,用例与环境适配有问题
修复策略:修改auditd的测试规则,将该架构下监听的系统调用改成openat
登录 后才可以发表评论