Ubuntu
fatrace package

Bug #1861053
Comment #7

Comment 7 for bug 1861053

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2020-01-30: Re: no fatrace output in focal

Very curious. I tried again with new kernel and no change in results:

$ cat /proc/version_signature
Ubuntu 5.4.0-12.15-generic 5.4.8
$ uname -a
Linux millbarge 5.4.0-12-generic #15-Ubuntu SMP Tue Jan 21 15:12:29 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$ apt policy fatrace
fatrace:
  Installed: 0.13-2
  Candidate: 0.13-2
  Version table:
*** 0.13-2 500
        500 http://wopr/ubuntu focal/universe amd64 Packages
        100 /var/lib/dpkg/status

journalctl -f output while testing:

Jan 30 19:00:48 millbarge audit[1440438]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=55f754fc09f0 a1=55f754fb00a0 a2=55f754fb5a70 a3=8 items=2 ppid=22587 pid=1440438 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="sudo" exe="/usr/bin/sudo" key="execpriv"
Jan 30 19:00:48 millbarge audit: EXECVE argc=2 a0="sudo" a1="fatrace"
Jan 30 19:00:48 millbarge audit: CWD cwd="/home/sarnold"
Jan 30 19:00:48 millbarge audit: PATH item=0 name="/usr/bin/sudo" inode=51282 dev=00:1b mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Jan 30 19:00:48 millbarge audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=9834 dev=00:1b mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Jan 30 19:00:48 millbarge audit: PROCTITLE proctitle=7375646F0066617472616365
Jan 30 19:00:48 millbarge sudo[1440438]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Jan 30 19:00:49 millbarge sudo[1440438]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Jan 30 19:00:49 millbarge audit[1440438]: USER_AUTH pid=1440438 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:00:49 millbarge audit[1440438]: USER_ACCT pid=1440438 uid=1000 auid=1000 ses=1 msg='op=PAM:accounting grantors=pam_permit acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:00:49 millbarge sudo[1440438]: sarnold : TTY=pts/2 ; PWD=/home/sarnold ; USER=root ; COMMAND=/usr/sbin/fatrace
Jan 30 19:00:49 millbarge audit[1440438]: USER_CMD pid=1440438 uid=1000 auid=1000 ses=1 msg='cwd="/home/sarnold" cmd="fatrace" terminal=pts/2 res=success'
Jan 30 19:00:49 millbarge audit[1440438]: CRED_REFR pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:00:49 millbarge sudo[1440438]: pam_unix(sudo:session): session opened for user root by sarnold(uid=0)
Jan 30 19:00:49 millbarge audit[1440438]: USER_START pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:00:57 millbarge bash[1005653]: Thu, 30 Jan 2020 19:00:57 +0000 src 46 (fix: 3) currently receiving: 0,3@0 0,9@0 0,16@0 0,22@0 0,23@0 0,26@0 2,1@1 2,4@1 2,21@1 3,14@0 3,24@0 3,25@0
Jan 30 19:01:03 millbarge sudo[1440438]: pam_unix(sudo:session): session closed for user root
Jan 30 19:01:03 millbarge audit[1440438]: USER_END pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:01:03 millbarge audit[1440438]: CRED_DISP pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'

tail -F /var/log/audit/audit.log output while testing:

type=SYSCALL msg=audit(1580410848.032:15175): arch=c000003e syscall=59 success=yes exit=0 a0=55f754fc09f0 a1=55f754fb00a0 a2=55f754fb5a70 a3=8 items=2 ppid=22587 pid=1440438 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="sudo" exe="/usr/bin/sudo" key="execpriv"
type=EXECVE msg=audit(1580410848.032:15175): argc=2 a0="sudo" a1="fatrace"
type=CWD msg=audit(1580410848.032:15175): cwd="/home/sarnold"
type=PATH msg=audit(1580410848.032:15175): item=0 name="/usr/bin/sudo" inode=51282 dev=00:1b mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1580410848.032:15175): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=9834 dev=00:1b mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PROCTITLE msg=audit(1580410848.032:15175): proctitle=7375646F0066617472616365
type=USER_AUTH msg=audit(1580410849.140:15176): pid=1440438 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_ACCT msg=audit(1580410849.140:15177): pid=1440438 uid=1000 auid=1000 ses=1 msg='op=PAM:accounting grantors=pam_permit acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_CMD msg=audit(1580410849.140:15178): pid=1440438 uid=1000 auid=1000 ses=1 msg='cwd="/home/sarnold" cmd="fatrace" terminal=pts/2 res=success'
type=CRED_REFR msg=audit(1580410849.140:15179): pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_START msg=audit(1580410849.140:15180): pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_END msg=audit(1580410863.888:15181): pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=CRED_DISP msg=audit(1580410863.892:15182): pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'

Thanks

Very curious. I tried again with new kernel and no change in results:

$ cat /proc/version_signature
Ubuntu 5.4.0-12.15-generic 5.4.8
$ uname -a
Linux millbarge 5.4.0-12-generic #15-Ubuntu SMP Tue Jan 21 15:12:29 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$ apt policy fatrace
fatrace:
  Installed: 0.13-2
  Candidate: 0.13-2
  Version table:
 *** 0.13-2 500
        500 http://wopr/ubuntu focal/universe amd64 Packages
        100 /var/lib/dpkg/status

journalctl -f output while testing:

Jan 30 19:00:48 millbarge audit[1440438]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=55f754fc09f0 a1=55f754fb00a0 a2=55f754fb5a70 a3=8 items=2 ppid=22587 pid=1440438 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="sudo" exe="/usr/bin/sudo" key="execpriv"
Jan 30 19:00:48 millbarge audit: EXECVE argc=2 a0="sudo" a1="fatrace"
Jan 30 19:00:48 millbarge audit: CWD cwd="/home/sarnold"
Jan 30 19:00:48 millbarge audit: PATH item=0 name="/usr/bin/sudo" inode=51282 dev=00:1b mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Jan 30 19:00:48 millbarge audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=9834 dev=00:1b mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Jan 30 19:00:48 millbarge audit: PROCTITLE proctitle=7375646F0066617472616365
Jan 30 19:00:48 millbarge sudo[1440438]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Jan 30 19:00:49 millbarge sudo[1440438]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Jan 30 19:00:49 millbarge audit[1440438]: USER_AUTH pid=1440438 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:00:49 millbarge audit[1440438]: USER_ACCT pid=1440438 uid=1000 auid=1000 ses=1 msg='op=PAM:accounting grantors=pam_permit acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:00:49 millbarge sudo[1440438]:  sarnold : TTY=pts/2 ; PWD=/home/sarnold ; USER=root ; COMMAND=/usr/sbin/fatrace
Jan 30 19:00:49 millbarge audit[1440438]: USER_CMD pid=1440438 uid=1000 auid=1000 ses=1 msg='cwd="/home/sarnold" cmd="fatrace" terminal=pts/2 res=success'
Jan 30 19:00:49 millbarge audit[1440438]: CRED_REFR pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:00:49 millbarge sudo[1440438]: pam_unix(sudo:session): session opened for user root by sarnold(uid=0)
Jan 30 19:00:49 millbarge audit[1440438]: USER_START pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:00:57 millbarge bash[1005653]: Thu, 30 Jan 2020 19:00:57 +0000 src 46 (fix: 3) currently receiving: 0,3@0 0,9@0 0,16@0 0,22@0 0,23@0 0,26@0 2,1@1 2,4@1 2,21@1 3,14@0 3,24@0 3,25@0
Jan 30 19:01:03 millbarge sudo[1440438]: pam_unix(sudo:session): session closed for user root
Jan 30 19:01:03 millbarge audit[1440438]: USER_END pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:01:03 millbarge audit[1440438]: CRED_DISP pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'

tail -F /var/log/audit/audit.log output while testing:

Thanks

Ubuntufatrace package

Comment 7 for bug 1861053

Ubuntu
fatrace package