Steve,

This machine is on Marine Corp network and is undergoing DISA RHEL 5 STIG. We have a software package called CAARS which is simply an "After Action Review" suite of software. The CAARS grabs events from the simulation, audio, and a host of other items to enable the soldier to quickly put together an after action review with his troops to review the just completed training scenario.

CAARS has a mysql database. Post STIG I received a bug notice from OnTIME which said the /var/log/messages file is filling up fast. After a qiuck review, I noticed the log entry posted in this email chain.

How did you "interpret" the log setting to retreive the syscall "sched_setparam"? Anyhow I am not sure why we want this, I have no idea what the sched_setparam actually does. Did you do a lookup on the mysql syscall number?

Again, I always appreciate your assistance.

V/R


Derek



Derek Warner – CISSP-ISSEP

Information System Security Engineer

Riptide Software

w- 321-296-0068 x 136

c-  407-716-9223

derek.warner@riptidesoftware.com

derek.a.warner@us.army.mil



On Mon, Dec 9, 2013 at 9:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:
On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> ALCON,
>
> We have a Centos machine running Centos 6 and it uses mysql. When a
> standard user operates the system, our /var/log/messages gets filled up
> with around 2gb of audit data rather quickly. Here is the audit.
>
> Dec  6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> exe="/usr/libexec/mysqld" key=(null)

People can more easily help if this were interpreted. It yields this:

node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8 a3=0x1f68
items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none) ses=unset
comm=mysqld key=(null)


> I have tried the following:
>
> -a exit,never -F path=/usr/libexec/mysqld

This only stops events that supply a path as an argument.


> When using "-F" I noticed in one RHEL forum someone used -F exe=
>
> However in CENTOS exe is not a recognized field when using -F

True. You can look at the auditctl man page to see what is supported.


> We do not wish to audit this data, can someone please help me exclude the
> audit?

What this is saying is that mysql is calling sched_setparam and getting
EINVAL. I have to ask why you would want this? You also don't set a key for
the event which makes later analysis more difficult. You could re-write the rule
as follows:

-a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL


But this looks vaguely familiar...
http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf

On page 12 I explain what's wrong with mysqld's code.

-Steve