2:34 p.m.
ALCON,
We have a Centos machine running Centos 6 and it uses mysql. When a
standard user operates the system, our /var/log/messages gets filled up
with around 2gb of audit data rather quickly. Here is the audit.
Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
exe="/usr/libexec/mysqld" key=(null)
I have tried the following:
-a exit,never -F path=/usr/libexec/mysqld
When using "-F" I noticed in one RHEL forum someone used -F exe=
However in CENTOS exe is not a recognized field when using -F
We do not wish to audit this data, can someone please help me exclude the
audit?
V/R
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner(a)riptidesoftware.com
derek.a.warner(a)us.army.mil
8:32 a.m.
On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
ALCON,
We have a Centos machine running Centos 6 and it uses mysql. When a
standard user operates the system, our /var/log/messages gets filled up
with around 2gb of audit data rather quickly. Here is the audit.
Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
exe="/usr/libexec/mysqld" key=(null)
People can more easily help if this were interpreted. It yields this:
node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8 a3=0x1f68
items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none) ses=unset
comm=mysqld key=(null)
I have tried the following:
-a exit,never -F path=/usr/libexec/mysqld
This only stops events that supply a path as an argument.
When using "-F" I noticed in one RHEL forum someone used -F
exe=
However in CENTOS exe is not a recognized field when using -F
True. You can look at the auditctl man page to see what is supported.
We do not wish to audit this data, can someone please help me exclude
the
audit?
What this is saying is that mysql is calling sched_setparam and getting
EINVAL. I have to ask why you would want this? You also don't set a key for
the event which makes later analysis more difficult. You could re-write the rule
as follows:
-a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
But this looks vaguely familiar...
http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
On page 12 I explain what's wrong with mysqld's code.
-Steve
9:20 a.m.
Steve,
This machine is on Marine Corp network and is undergoing DISA RHEL 5 STIG.
We have a software package called CAARS which is simply an "After Action
Review" suite of software. The CAARS grabs events from the simulation,
audio, and a host of other items to enable the soldier to quickly put
together an after action review with his troops to review the just
completed training scenario.
CAARS has a mysql database. Post STIG I received a bug notice from OnTIME
which said the /var/log/messages file is filling up fast. After a qiuck
review, I noticed the log entry posted in this email chain.
How did you "interpret" the log setting to retreive the syscall
"sched_setparam"?
Anyhow I am not sure why we want this, I have no idea what the
sched_setparam actually does. Did you do a lookup on the mysql syscall
number?
Again, I always appreciate your assistance.
V/R
Derek
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner(a)riptidesoftware.com
derek.a.warner(a)us.army.mil
On Mon, Dec 9, 2013 at 9:32 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> ALCON,
>
> We have a Centos machine running Centos 6 and it uses mysql. When a
> standard user operates the system, our /var/log/messages gets filled up
> with around 2gb of audit data rather quickly. Here is the audit.
>
> Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> exe="/usr/libexec/mysqld" key=(null)
People can more easily help if this were interpreted. It yields this:
node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8
a3=0x1f68
items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none)
ses=unset
comm=mysqld key=(null)
> I have tried the following:
>
> -a exit,never -F path=/usr/libexec/mysqld
This only stops events that supply a path as an argument.
> When using "-F" I noticed in one RHEL forum someone used -F exe=
>
> However in CENTOS exe is not a recognized field when using -F
True. You can look at the auditctl man page to see what is supported.
> We do not wish to audit this data, can someone please help me exclude the
> audit?
What this is saying is that mysql is calling sched_setparam and getting
EINVAL. I have to ask why you would want this? You also don't set a key for
the event which makes later analysis more difficult. You could re-write
the rule
as follows:
-a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
But this looks vaguely familiar...
http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
On page 12 I explain what's wrong with mysqld's code.
-Steve
9:34 a.m.
On Monday, December 09, 2013 10:20:41 AM Derek Warner wrote:
How did you "interpret" the log setting to retreive the
syscall
"sched_setparam"?
I copied the text and ran it through ausearch with the '-i' commandline
option.
Anyhow I am not sure why we want this, I have no idea what the
sched_setparam actually does.
It changes the priority of the process. Which is not exactly security
critical. For concerns in this area, one would generally set rlimits to
prevent a resource hog. Additionally, if you really, really wanted to see
this, you'd only want the ones that succeed or fail due to EPERM.
Did you do a lookup on the mysql syscall number?
No, I used the audit tools to check it.
-Steve
9:59 a.m.
Steve,
Thanks again, I am really trying to get my linux skills sharpened as I have
been unfortunately raised in the windows world. It does pay the bills
though.
V/R
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner(a)riptidesoftware.com
derek.a.warner(a)us.army.mil
On Mon, Dec 9, 2013 at 10:34 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday, December 09, 2013 10:20:41 AM Derek Warner wrote:
> How did you "interpret" the log setting to retreive the syscall
> "sched_setparam"?
I copied the text and ran it through ausearch with the '-i' commandline
option.
> Anyhow I am not sure why we want this, I have no idea what the
> sched_setparam actually does.
It changes the priority of the process. Which is not exactly security
critical. For concerns in this area, one would generally set rlimits to
prevent a resource hog. Additionally, if you really, really wanted to see
this, you'd only want the ones that succeed or fail due to EPERM.
>Did you do a lookup on the mysql syscall number?
No, I used the audit tools to check it.
-Steve
9:34 a.m.
I get it. Is this something that is identified for a fix in RHEL? Since
RHEL ports the mysql would it be mysql that provides the fix or RHEL?
V/R
Derek
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner(a)riptidesoftware.com
derek.a.warner(a)us.army.mil
On Mon, Dec 9, 2013 at 9:32 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> ALCON,
>
> We have a Centos machine running Centos 6 and it uses mysql. When a
> standard user operates the system, our /var/log/messages gets filled up
> with around 2gb of audit data rather quickly. Here is the audit.
>
> Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> exe="/usr/libexec/mysqld" key=(null)
People can more easily help if this were interpreted. It yields this:
node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8
a3=0x1f68
items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none)
ses=unset
comm=mysqld key=(null)
> I have tried the following:
>
> -a exit,never -F path=/usr/libexec/mysqld
This only stops events that supply a path as an argument.
> When using "-F" I noticed in one RHEL forum someone used -F exe=
>
> However in CENTOS exe is not a recognized field when using -F
True. You can look at the auditctl man page to see what is supported.
> We do not wish to audit this data, can someone please help me exclude the
> audit?
What this is saying is that mysql is calling sched_setparam and getting
EINVAL. I have to ask why you would want this? You also don't set a key for
the event which makes later analysis more difficult. You could re-write
the rule
as follows:
-a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
But this looks vaguely familiar...
http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
On page 12 I explain what's wrong with mysqld's code.
-Steve
10:22 a.m.
On Monday, December 09, 2013 10:34:49 AM Derek Warner wrote:
Is this something that is identified for a fix in RHEL?
No. I did report it and it was worked on Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=477624
Since RHEL ports the mysql would it be mysql that provides the fix or
RHEL?
No one has complained. In my opinion, the audit rules you have are broken.
Mysql was "doing it wrong" also. But I believe it was fixed upstream in later
releases.
-Steve
11:54 a.m.
Steve,
Thank you very much. I have corrected my audit.rules.
:)
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner(a)riptidesoftware.com
derek.a.warner(a)us.army.mil
On Mon, Dec 9, 2013 at 11:22 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday, December 09, 2013 10:34:49 AM Derek Warner wrote:
> Is this something that is identified for a fix in RHEL?
No. I did report it and it was worked on Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=477624
> Since RHEL ports the mysql would it be mysql that provides the fix or
RHEL?
No one has complained. In my opinion, the audit rules you have are broken.
Mysql was "doing it wrong" also. But I believe it was fixed upstream in
later
releases.
-Steve
4030
days inactive
4034
days old
linux-audit@lists.linux-audit.osci.io
7 comments
2 participants
participants (2)
-
Derek Warner -
Steve Grubb