Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auid always unset in event outputs, not showing the actual login user Id #2076

Open
ycaoT opened this issue Feb 8, 2024 · 5 comments
Open

auid always unset in event outputs, not showing the actual login user Id #2076

ycaoT opened this issue Feb 8, 2024 · 5 comments
Labels
kind/bug Something isn't working

Comments

@ycaoT
Copy link

ycaoT commented Feb 8, 2024
edited

What happened?

It's interesting that after I found the issue, I did a search 4294967295 in this repo, I found many results in the event outputs. Looks like I don't even need to provide more proofs. JK 馃槃

Back to the issue, auid should be supposed to my login/real user Id. Somehow it's always 4294967295. uid is my current user Id, as I switched to root, this is correct. auid should be my user's Id, so I know the action is actually done by who.
uid=1002(ycao) gid=1003(ycao) groups=1003(ycao)

{
	"process_exec": {
		"process": {
			"exec_id": "Ojg3MTQ5NTY3NTg0OTkzOjExMzQzMTU=",
			"pid": 1134315,
			"uid": 0,
			"cwd": "/",
			"binary": "/bin/cat",
			"arguments": "/etc/shadow",
			"flags": "execve rootcwd clone",
			"start_time": "2023-12-13T21:27:45.849484339Z",
			"auid": 4294967295,
			"docker": "4cdb2f230e5ba4cb183c170888b686c",
			"parent_exec_id": "Ojg3MDAxOTM1MTg1NzQ4OjExMzIzODU=",
			"tid": 1134315
		},
		"parent": {
			"exec_id": "Ojg3MDAxOTM1MTg1NzQ4OjExMzIzODU=",
			"pid": 1132385,
			"uid": 0,
			"cwd": "/",
			"binary": "/bin/bash",
			"flags": "execve rootcwd clone",
			"start_time": "2023-12-13T21:25:18.217084929Z",
			"auid": 4294967295,
			"docker": "4cdb2f230e5ba4cb183c170888b686c",
			"parent_exec_id": "Ojg3MDAxODQwOTA0ODgzOjExMzIzNzE=",
			"tid": 1132385
		}
	},
	"time": "2023-12-13T21:27:45.849483813Z"
}

Tetragon Version

Latest

Kernel Version

6.1.72-96.166.amzn2023.x86_64, on Amazon Linux 2023 hosts

Kubernetes Version

No response

Bugtool

No response

Relevant log output

No response

Anything else?

No response
@ycaoT ycaoT added the kind/bug Something isn't working label Feb 8, 2024
@ycaoT ycaoT changed the title auid always set to 4294967295 in event outputs, not the actual login user Id auid always set to 4294967295 in event outputs, not the actual login user Id Feb 8, 2024
@ycaoT
Copy link
Author

ycaoT commented Feb 8, 2024
edited

According to here https://www.reddit.com/r/redhat/s/OyQGjPd4PF, that means the auid is unset if it's 4294967295. So the real problem is that why auid is unset?

@mtardy
Copy link
Member

mtardy commented Feb 9, 2024

According to here https://www.reddit.com/r/redhat/s/OyQGjPd4PF, that means the auid is unset if it's 4294967295. So the real problem is that why auid is unset?

yes indeed, usually you initialize the ids to something not zero otherwise in the case they are not correctly set, you end up assuming root which might have security implications. As an illustration, see this kind of issue in Microsoft omi.

Now why this thing is unset should be indeed investigated to understand, thanks for the report!

@tixxdz
Copy link
Member

tixxdz commented Feb 9, 2024

Back to the issue, auid should be supposed to my login/real user Id. Somehow it's always 4294967295. uid is my current user Id, as I switched to root, this is correct. auid should be my user's Id, so I know the action is actually done by who.

If it is 4294967295, then that's what the kernel returns, and we just print it, if there was a bug in Tetragon then we may return garbage data and not specific value that indicates loginuid (auid) is not set.

Some reading first: https://linux.die.net/man/8/pam_loginuid . The loginuid is to track user sessions, and it is set from user space, so you should check your workload, how did you spawn this session and see why the loginduid is not set?

Then the fix is have in the software that spawned this session in the first place is either to use pam_loginuid or audit_setloginuid() helpers to set it correctly before spawning anything, where it will be inherited by the session. An alternative way is that software could write directly to /proc/self/loginuid the uid assuming it has CAP_AUDIT_CONTROL.

Hope this helps

@ycaoT ycaoT changed the title auid always set to 4294967295 in event outputs, not the actual login user Id auid always unset in event outputs, not showing the actual login user Id Feb 13, 2024
@ycaoT
Copy link
Author

ycaoT commented Feb 13, 2024

Hey @tixxdz, thanks for sharing!

Quick question, does the auid ever work for you? Was it able to correctly show the real login users in some cases?

@tixxdz
Copy link
Member

tixxdz commented Feb 14, 2024

Hey @tixxdz, thanks for sharing!

Quick question, does the auid ever work for you? Was it able to correctly show the real login users in some cases?

Yes it works, when running Tetragon in k8s, docker or standalone just login into the machine through ssh or normal login then inspect the tetragon events. Or to simply test it as root inside the session with the CAP_AUDIT_CONTROL capability enabled

# echo -n "99999" > /proc/self/loginuid
# id
uid=0(root) gid=0(root) groups=0(root)

Will produce:

{
  "process_exec": {
    "process": {
      "exec_id": "OjgyMTAxNDUyNzQzNTozMTQ0NQ==",
      "pid": 31445,
      "uid": 0,
      "cwd": "/root",
      "binary": "/usr/bin/id",
      "flags": "execve clone",
      "start_time": "2024-02-14T07:15:32.466738422Z",
      "auid": 99999,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tixxdz @mtardy @ycaoT