ausearch / policy question
by LC Bruzenak
OK - now that my logs are classified correctly, I ran the following
ausearch command:
ausearch -ts recent -i -m AVC -c ausearch
And get these:
type=PATH msg=audit(07/23/2008 17:18:44.292:1620) : item=0
name=/etc/audit/auditd.conf inode=21112 dev=fd:00 mode=file,640
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_etc_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1620) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1620) : arch=x86_64
syscall=open success=yes exit=3 a0=40f9d3 a1=20000 a2=c9c140
a3=3e2bf67a70 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1620) : avc: denied
{ read } for pid=4033 comm=ausearch name=auditd.conf dev=dm-0 ino=21112
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
----
type=PATH msg=audit(07/23/2008 17:18:44.292:1622) : item=0
name=/var/log/audit/audit.log inode=24698 dev=fd:00 mode=file,600
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_log_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1622) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1622) : arch=x86_64
syscall=open success=yes exit=4 a0=7fff89bcdefb a1=0 a2=3e2bf67a60
a3=3e2bf67a58 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc: denied
{ read } for pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
[root@hugo audit]# ausearch -ts recent -i -m AVC -c ausearch
----
type=PATH msg=audit(07/23/2008 17:18:44.292:1620) : item=0
name=/etc/audit/auditd.conf inode=21112 dev=fd:00 mode=file,640
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_etc_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1620) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1620) : arch=x86_64
syscall=open success=yes exit=3 a0=40f9d3 a1=20000 a2=c9c140
a3=3e2bf67a70 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1620) : avc: denied
{ read } for pid=4033 comm=ausearch name=auditd.conf dev=dm-0 ino=21112
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
----
type=PATH msg=audit(07/23/2008 17:18:44.292:1622) : item=0
name=/var/log/audit/audit.log inode=24698 dev=fd:00 mode=file,600
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_log_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1622) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1622) : arch=x86_64
syscall=open success=yes exit=4 a0=7fff89bcdefb a1=0 a2=3e2bf67a60
a3=3e2bf67a58 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc: denied
{ read } for pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
I've got:
audit-1.7.4-1
selinux-policy-mls-3.3.1-77.fc9.noarch
So my questions are:
1: duplicate records above - expected or correct since there were two
matches - the AVC and also the command?
2: why is ausearch producing the AVCs?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 5 months
audit log question
by LC Bruzenak
Using MLS permissive policy selinux-policy-mls-3.3.1-77.fc9.noarch.
I'm looking at some AVCs generated when I do a ausearch as root.
I thought it was because the root context was set at SystemLow.
I looked at the logs and all are set at SystemHigh except the last 4
(current audit.log + audit.log.[1-3]).
[root@hugo sbin]# ls -al /var/log/audit/audit.log.[1-6]
-r-------- 1 root root 5243230 2008-07-23
15:34 /var/log/audit/audit.log.1
-r-------- 1 root root 5242915 2008-07-22
12:36 /var/log/audit/audit.log.2
-r-------- 1 root root 5242932 2008-07-22
12:36 /var/log/audit/audit.log.3
-r-------- 1 root root 5243017 2008-06-27
12:33 /var/log/audit/audit.log.4
-r-------- 1 root root 5242977 2008-06-27
12:16 /var/log/audit/audit.log.5
-r-------- 1 root root 5242921 2008-06-27
11:52 /var/log/audit/audit.log.6
[root@hugo sbin]# ls -alZ /var/log/audit/audit.log.[1-6]
-r-------- root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.1
-r-------- root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.2
-r-------- root root
root:object_r:auditd_log_t:SystemLow /var/log/audit/audit.log.3
-r-------- root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.4
-r-------- root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.5
-r-------- root root
system_u:object_r:auditd_log_t:SystemHigh /var/log/audit/audit.log.6
Is this correct (and if so, why)?
Maybe I did something...
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 5 months
the problem of option '-a', '-A', '-d' and '-D'
by Yu Zhiguo
Hello steve,
Now options '-a', '-A', '-d' and '-D' can be used simultaneously in a rule,
but just the last one of them is effective.
This usage will make users confused, for example:
# auditctl -a entry,always -F uid=500 -A task,always -F uid=600 -a exit,always
is equal to:
# auditctl -a exit,always -F uid=500 -F uid=600
I think we'd better not allow these options be used simultaneously,
otherwise an error message will be reported.
What's your opinion? If you agree with me, I'll make a patch.
--
Regards
Yu Zhiguo
--------------------------------------------------
Yu Zhiguo
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
8/F., Civil Defense Building, No.189 Guangzhou Road,
Nanjing, 210029, China
TEL: +86+25-86630566-836
COINS: 79955-836
FAX: +86+25-83317685
MAIL: yuzg(a)cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may contain information that is privileged, confidential and exempt from
disclosure under applicable law. If you are not an intended recipient of this communication, you are hereby notified that any dissemination,
distribution or copying hereof is strictly prohibited. If you have received this communication in error, please notify me by reply e-mail,
permanently delete this communication from your system, and destroy any hard copies you may have printed.
16 years, 5 months
[PATCH] fix a bug that output of "aureport -au" is imperfection
by Peng Haitao
Hello Steve,
Execute command "aureport -au", the output is imperfection.
For example:
[root@RHEL5 ~]# aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 07/22/2008 09:24:39 acct="aulltest rhel5.2ga ssh /usr/sbin/sshd yes 5208350
The reports have a column label at the top to help with interpretation of the various fields,
So 'acct="aulltest' should be modified to 'aulltest' in the line 1.
Signed-off-by: Peng Haitao <penght(a)cn.fujitsu.com>
---
src/ausearch-parse.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 5fdf8c7..141fdee 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -786,7 +786,8 @@ static int parse_user(const lnode *n, search_items *s)
term++;
saved = *term;
*term = 0;
- s->acct = strdup(str);
+ ptr++;
+ s->acct = strdup(ptr);
*term = saved;
} else {
/* Handle legacy accts */
@@ -802,11 +803,11 @@ static int parse_user(const lnode *n, search_items *s)
}
term = end;
if (!legacy)
- s->acct = unescape(str);
+ s->acct = unescape(ptr);
else {
saved = *term;
*term = 0;
- s->acct = strdup(str);
+ s->acct = strdup(ptr);
*term = saved;
}
}
--
Regards
Peng Haitao
16 years, 5 months
file watch result help
by LC Bruzenak
Looking for help/advice:
I had a new file (/usr/lib/AuditProxy) I installed via RPM with
CAP_AUDIT_WRITE assigned.
I noticed after a couple of days it was removed.
So I added a file watch and waited.
The file got changed, this was audited, however I cannot realy nail down
who/how it got changed as of yet...hopefully someone can either
enlighten me on this or else give me a clue on how to install a better
watch rule.
I used:
-w /usr/libexec/AuditProxy -k PROXY
and now that the CAP has been removed I see the following activity (with
"ausearch -i -k PROXY"):
type=PATH msg=audit(07/18/2008 04:12:24.677:60925) : item=0
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
type=CWD msg=audit(07/18/2008 04:12:24.677:60925) : cwd=/
type=SYSCALL msg=audit(07/18/2008 04:12:24.677:60925) : arch=x86_64
syscall=open success=yes exit=4 a0=2626330 a1=0 a2=0 a3=100 items=1
ppid=29219 pid=29228 auid=root uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
comm=prelink exe=/usr/sbin/prelink
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
----
type=PATH msg=audit(07/18/2008 04:12:24.678:60926) : item=0
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
type=CWD msg=audit(07/18/2008 04:12:24.678:60926) : cwd=/
type=SYSCALL msg=audit(07/18/2008 04:12:24.678:60926) : arch=x86_64
syscall=open success=yes exit=3 a0=3e2ba1dc68 a1=0 a2=0 a3=7fff332a1f8b
items=1 ppid=29228 pid=29354 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
----
type=PATH msg=audit(07/18/2008 04:12:24.811:60927) : item=0
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
type=CWD msg=audit(07/18/2008 04:12:24.811:60927) : cwd=/
type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60927) : arch=x86_64
syscall=open success=yes exit=3 a0=2520b90 a1=0 a2=70dc80 a3=24e3880
items=1 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
comm=prelink exe=/usr/sbin/prelink
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
----
type=PATH msg=audit(07/18/2008 04:12:24.811:60928) : item=0
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
type=CWD msg=audit(07/18/2008 04:12:24.811:60928) : cwd=/
type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60928) : arch=x86_64
syscall=open success=yes exit=4 a0=3e2ba1dc68 a1=0 a2=0 a3=7fffb5a95f70
items=1 ppid=29228 pid=29358 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
----
type=PATH msg=audit(07/18/2008 04:12:24.820:60929) : item=0
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
type=CWD msg=audit(07/18/2008 04:12:24.820:60929) : cwd=/
type=SYSCALL msg=audit(07/18/2008 04:12:24.820:60929) : arch=x86_64
syscall=getxattr success=yes exit=27 a0=7fff2d0c1070 a1=4d97e6
a2=26351d0 a3=ff items=1 ppid=29219 pid=29228 auid=root uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) ses=632 comm=prelink exe=/usr/sbin/prelink
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
----
type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=4
name=/usr/libexec/AuditProxy inode=61043 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=3
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=2
name=/usr/libexec/AuditProxy.#prelink#.BJ0RCF inode=61043 dev=fd:00
mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:bin_t:s0
type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=1
name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=0
name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
type=CWD msg=audit(07/18/2008 04:12:24.821:60932) : cwd=/
type=SYSCALL msg=audit(07/18/2008 04:12:24.821:60932) : arch=x86_64
syscall=rename success=yes exit=0 a0=7fff2d0c1030 a1=7fff2d0c1070 a2=31
a3=1b items=5 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
comm=prelink exe=/usr/sbin/prelink
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
So the file is getting moved to a temp file and then back (is the
prelink doing this?) with the result being that the CAP is erased.
Not certain what is doing this in my system.
Any clues or instructions on how to narrow the search?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 5 months
Audit not taking rules
by Bo
I have RHEL 4 install (update 5).
aureport seems to be working, so as the /var/log/audit/audit.log
however auditd does not take any of my watch rules
[root@master ~]# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Error sending watch insert request (Invalid argument)
There was an error in line 26 of /etc/audit.rules
When do auditctl -l,
[root@master ~]# auditctl -l
No rules
File system watches not supported
Can anyone point me to a solution?
audit version 1.0.15
kernel 2.6.22.5
here is my audit.rules
## Remove any existing rules
-D
## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 1024
## Set failure mode to panic
-f 2
-w /boot -p wa
16 years, 5 months
There is a bug on parsing file path in auditd-config.c and audispd-pconfig.c
by wangf
Hi Steve,
There is a bug in function dispatch_parser() and path_parser().
when we use dir = dirname (tdir), if tdir is not NULL, tdir and dir
point to the same addr., so if we use free(tdir) before
audit_msg(LOG_ERR, "The directory name: %s is too short - line %d", dir,
line); we can not get the dir's correct value.
This patch can solve this problem.
Signed-off-by: Wang Fang <wangf(a)cn.fujitsu.com>
---
diff -Nrup audit-1.7.4/audisp/audispd-pconfig.c audit-1.7.4-new/audisp/audispd-pconfig.c
--- audit-1.7.4/audisp/audispd-pconfig.c 2007-09-02 23:24:15.000000000 +0800
+++ audit-1.7.4-new/audisp/audispd-pconfig.c 2008-06-21 18:33:14.000000000 +0800
@@ -379,10 +379,10 @@ static int path_parser(struct nv_pair *n
if (tdir)
dir = dirname(tdir);
if (dir == NULL || strlen(dir) < 4) { // '/var' is shortest dirname
- free(tdir);
audit_msg(LOG_ERR,
"The directory name: %s is too short - line %d",
dir, line);
+ free(tdir);
return 1;
}
diff -Nrup audit-1.7.4/src/auditd-config.c audit-1.7.4-new/src/auditd-config.c
--- audit-1.7.4/src/auditd-config.c 2008-05-09 22:44:38.000000000 +0800
+++ audit-1.7.4-new/src/auditd-config.c 2008-06-21 18:39:58.000000000 +0800
@@ -592,10 +592,10 @@ static int dispatch_parser(struct nv_pai
if (tdir)
dir = dirname(tdir);
if (dir == NULL || strlen(dir) < 4) { // '/var' is shortest dirname
- free(tdir);
audit_msg(LOG_ERR,
"The directory name: %s is too short - line %d",
dir, line);
+ free(tdir);
return 1;
}
--
Best Regards,
Wang Fang
16 years, 5 months
