ausearch / policy question
LC Bruzenak
lenny at magitekltd.com
Wed Jul 23 22:30:45 UTC 2008
OK - now that my logs are classified correctly, I ran the following
ausearch command:
ausearch -ts recent -i -m AVC -c ausearch
And get these:
type=PATH msg=audit(07/23/2008 17:18:44.292:1620) : item=0
name=/etc/audit/auditd.conf inode=21112 dev=fd:00 mode=file,640
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_etc_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1620) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1620) : arch=x86_64
syscall=open success=yes exit=3 a0=40f9d3 a1=20000 a2=c9c140
a3=3e2bf67a70 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1620) : avc: denied
{ read } for pid=4033 comm=ausearch name=auditd.conf dev=dm-0 ino=21112
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
----
type=PATH msg=audit(07/23/2008 17:18:44.292:1622) : item=0
name=/var/log/audit/audit.log inode=24698 dev=fd:00 mode=file,600
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_log_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1622) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1622) : arch=x86_64
syscall=open success=yes exit=4 a0=7fff89bcdefb a1=0 a2=3e2bf67a60
a3=3e2bf67a58 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc: denied
{ read } for pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
[root at hugo audit]# ausearch -ts recent -i -m AVC -c ausearch
----
type=PATH msg=audit(07/23/2008 17:18:44.292:1620) : item=0
name=/etc/audit/auditd.conf inode=21112 dev=fd:00 mode=file,640
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_etc_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1620) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1620) : arch=x86_64
syscall=open success=yes exit=3 a0=40f9d3 a1=20000 a2=c9c140
a3=3e2bf67a70 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1620) : avc: denied
{ read } for pid=4033 comm=ausearch name=auditd.conf dev=dm-0 ino=21112
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file
----
type=PATH msg=audit(07/23/2008 17:18:44.292:1622) : item=0
name=/var/log/audit/audit.log inode=24698 dev=fd:00 mode=file,600
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:auditd_log_t:s15:c0.c1023
type=CWD msg=audit(07/23/2008 17:18:44.292:1622) : cwd=/var/log/audit
type=SYSCALL msg=audit(07/23/2008 17:18:44.292:1622) : arch=x86_64
syscall=open success=yes exit=4 a0=7fff89bcdefb a1=0 a2=3e2bf67a60
a3=3e2bf67a58 items=1 ppid=3451 pid=4033 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
ses=1 comm=ausearch exe=/sbin/ausearch
subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc: denied
{ read } for pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
scontext=root:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
I've got:
audit-1.7.4-1
selinux-policy-mls-3.3.1-77.fc9.noarch
So my questions are:
1: duplicate records above - expected or correct since there were two
matches - the AVC and also the command?
2: why is ausearch producing the AVCs?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list