Audit? messsages in dmesg

darkfoon · 2013-10-10 00:16:08

Recently discovered somebody has been trying to brute-force my SSH connection and I'm going through logs to make sure they didn't get in when I happened upon these messages in dmesg:

[65568.491789] type=1326 audit(1381259495.420:9): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=4482 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7fcca98b6587 code=0x0
[69421.334897] type=1326 audit(1381263354.610:10): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=6253 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f4d89193587 code=0x0
[73174.784418] type=1326 audit(1381267114.241:11): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8028 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f48f8850587 code=0x0
[77020.887650] type=1326 audit(1381270966.683:12): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=9805 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7fdf304c4587 code=0x0
[80960.751299] type=1326 audit(1381274913.034:13): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=11562 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f03a3cdc587 code=0x0
[84992.955805] type=1326 audit(1381278951.883:14): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=14218 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7fe2e3485587 code=0x0
[89008.503973] type=1326 audit(1381282974.046:15): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=15971 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7fb0b6f32587 code=0x0
[93067.505209] type=1326 audit(1381287039.735:16): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=17750 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f7841c48587 code=0x0
[97184.570729] type=1326 audit(1381291163.584:17): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=19578 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f3b25351587 code=0x0
[101367.291860] type=1326 audit(1381295353.195:18): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=22250 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f36e9218587 code=0x0
[105719.371965] type=1326 audit(1381299712.442:19): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=29498 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f4001568587 code=0x0
[110117.124913] type=1326 audit(1381304117.435:20): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=6708 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f6ae6af4587 code=0x0

I have searched the internet and these forums and find nothing that really decodes them.
I am using the stock Arch kernel, so I don't have SELinux enabled/configured.

Looks like a sig=31 could be SIGPWR, but I am just guessing.

Can anybody point me at some documentation for what this logging represents? I haven't seen it before in dmesg.

Last edited by darkfoon (2013-10-10 02:17:16)

cfr · 2013-10-10 01:12:51

Hmm. Do you have audit installed? I do for some reason but I'm not at all sure why.

darkfoon · 2013-10-10 02:16:15

I just checked and I do not have audit installed.

ewaller · 2013-10-10 03:16:18

I have seen those types of messages only once in my logs -- today.

I invited someone who was having trouble with ssh to try and hit my machine. That is when I saw the messages:

Oct 09 06:53:29 odin sshd[20395]: Connection closed by 198.147.192.8 [preauth]
Oct 09 06:53:40 odin sshd[20403]: Bad packet length 3324753699. [preauth]
Oct 09 06:53:40 odin sshd[20403]: Disconnecting: Packet corrupt [preauth]
Oct 09 06:53:40 odin kernel: type=1326 audit(1381326820.095:3): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=20404 comm="sshd" sig=31 syscal
Oct 09 06:54:59 odin sshd[20459]: Bad packet length 987170566. [preauth]
Oct 09 06:54:59 odin kernel: type=1326 audit(1381326899.097:4): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=20460 comm="sshd" sig=31 syscal
Oct 09 06:54:59 odin sshd[20459]: Disconnecting: Packet corrupt [preauth]

I do know they did not get in. Again, I invited them.

darkfoon · 2013-10-14 04:24:31

Thanks ewaller!
Well, I'm glad it's not indicative of something more serious.

I wish I had a better understanding of what specifically is generating these log events, however.

plueschopath · 2013-10-24 09:15:06

Hi,

I have the same 'problem'.

[89279.561787] type=1326 audit(1382481139.759:2): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8886 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7fc1e4c84587 code=0x0
[89285.115850] type=1326 audit(1382481145.316:3): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8888 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7ffddbf6f587 code=0x0
[89294.490409] type=1326 audit(1382481154.690:4): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8890 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7ff3f33ac587 code=0x0
[89298.793109] type=1326 audit(1382481158.993:5): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8892 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7ff685d42587 code=0x0
[89302.807800] type=1326 audit(1382481163.006:6): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8894 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f0787d01587 code=0x0
[89312.063190] type=1326 audit(1382481172.263:7): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8896 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7ffd72f18587 code=0x0
[89316.333679] type=1326 audit(1382481176.533:8): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8898 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f707ee92587 code=0x0
[89320.389351] type=1326 audit(1382481180.590:9): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8900 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f0b0c8df587 code=0x0
[89324.564958] type=1326 audit(1382481184.763:10): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8902 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f226fa2e587 code=0x0
[89328.748346] type=1326 audit(1382481188.946:11): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8904 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f2267420587 code=0x0
[89332.991790] type=1326 audit(1382481193.189:12): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8906 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f2669d06587 code=0x0
[89338.073702] type=1326 audit(1382481198.273:13): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8908 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7fc1ac95c587 code=0x0
[89343.648782] type=1326 audit(1382481203.846:14): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8910 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f961d40d587 code=0x0
[89350.742487] type=1326 audit(1382481210.943:15): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8912 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f63e3587587 code=0x0
[89355.792138] type=1326 audit(1382481215.990:16): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8914 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f8c47c81587 code=0x0
[89365.423980] type=1326 audit(1382481225.623:17): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8916 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f9efc48d587 code=0x0
[89373.562125] type=1326 audit(1382481233.760:18): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8918 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7ff33df46587 code=0x0
[89398.861744] type=1326 audit(1382481259.059:19): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8920 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f85b23ef587 code=0x0
[89424.111396] type=1326 audit(1382481284.310:20): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8922 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f1af2a7d587 code=0x0
[89440.326414] type=1326 audit(1382481300.526:21): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=8924 comm="sshd" sig=31 syscall=48 compat=0 ip=0x7f0982a5f587 code=0x0

reflexing · 2013-11-05 10:19:49

Have this messages in journal on my VPS too. Can some arch dev elaborate what's going on here?

h54 · 2014-02-17 01:51:41

I'm also experiencing this as well. Subscribed for more info in the future, hopefully.

x33a · 2014-02-17 06:21:50

I am not sure about these message, but you guys should be checking auth.log for any successful logins.

Leonid.I · 2014-02-17 20:15:55

The audit messages are related to reworking of the audit subsystem in linux 3.13 (and possibly 3.12.9). They certainly don't indicate a breakin.

I don't know how to disable them currently (OTOH, more information can't hurt). The only downside is that there are frequent disk writes which can wear SSDs. So, here is a modification to syslog-ng.conf to make syslog put these messages to memory:

destination d_audit { file("/tmp/log/kernel-audit.log"); };
filter f_kernel { facility(kern) and not filter(f_iptables) and not filter(f_audit); };
filter f_audit { match("type=" value("MESSAGE")) and match("audit" value("MESSAGE")) and match("uid=" value("MESSAGE")); };
log { source(src); filter(f_audit); destination(d_audit); };

Of course, this assumes that /tmp/log exists before syslog-ng starts. Those using only journald... are out of luck

Last edited by Leonid.I (2014-02-17 20:16:30)

h54 · 2014-02-18 23:27:31

Leonid.l,

Thanks for the info. I guess the good side is that this entry does not appear very much, at least on my case.

zatricky · 2014-03-13 13:21:35

I have journald set to only use memory for Storage. Maybe because of this, running "dmesg | head" already shows these audit entries from a few hours ago - long after I originally booted up. :-/ Due to that I'd prefer disabling these notices completely.

I'm thinking of pushing everything in cron over to systemd directly - see https://wiki.archlinux.org/index.php/Sy … ctionality - but maybe that will still have the same problem?

$ dmesg | grep audit\( | wc -l
3568
$ dmesg | grep -v audit\( | wc -l
334
$ dmesg | grep audit\( | head
[65571.821927] type=1006 audit(1394673781.958:5459): pid=16744 uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5458 res=1
[65571.822492] type=1006 audit(1394673781.958:5460): pid=16745 uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5459 res=1
[65571.828819] type=1006 audit(1394673781.965:5461): pid=16747 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=5460 res=1
[65571.832318] type=1006 audit(1394673781.968:5462): pid=16746 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=5461 res=1
[65630.883286] type=1006 audit(1394673841.019:5463): pid=17546 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=5462 res=1
[65630.884204] type=1006 audit(1394673841.022:5464): pid=17548 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=5463 res=1
[65630.885852] type=1006 audit(1394673841.022:5465): pid=17544 uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5464 res=1
[65630.889561] type=1006 audit(1394673841.025:5466): pid=17545 uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5465 res=1
[65630.893416] type=1006 audit(1394673841.029:5467): pid=17547 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=5466 res=1
[65690.972812] type=1006 audit(1394673901.109:5468): pid=18297 uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5467 res=1

edit: added info

Last edited by zatricky (2014-03-13 13:43:24)

Arch Linux

#1 2013-10-10 00:16:08

Audit? messsages in dmesg

#2 2013-10-10 01:12:51

Re: Audit? messsages in dmesg

#3 2013-10-10 02:16:15

Re: Audit? messsages in dmesg

#4 2013-10-10 03:16:18

Re: Audit? messsages in dmesg

#5 2013-10-14 04:24:31

Re: Audit? messsages in dmesg

#6 2013-10-24 09:15:06

Re: Audit? messsages in dmesg

#7 2013-11-05 10:19:49

Re: Audit? messsages in dmesg

#8 2014-02-17 01:51:41

Re: Audit? messsages in dmesg

#9 2014-02-17 06:21:50

Re: Audit? messsages in dmesg

#10 2014-02-17 20:15:55

Re: Audit? messsages in dmesg

#11 2014-02-18 23:27:31

Re: Audit? messsages in dmesg

#12 2014-03-13 13:21:35

Re: Audit? messsages in dmesg

Board footer