Exclude /usr/libexec/mysqld from audit.rules
Derek Warner
derek.warner at riptidesoftware.com
Mon Dec 9 15:34:49 UTC 2013
I get it. Is this something that is identified for a fix in RHEL? Since
RHEL ports the mysql would it be mysql that provides the fix or RHEL?
V/R
Derek
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner at riptidesoftware.com
derek.a.warner at us.army.mil
On Mon, Dec 9, 2013 at 9:32 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> > ALCON,
> >
> > We have a Centos machine running Centos 6 and it uses mysql. When a
> > standard user operates the system, our /var/log/messages gets filled up
> > with around 2gb of audit data rather quickly. Here is the audit.
> >
> > Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> > msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> > exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> > pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> > egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> > exe="/usr/libexec/mysqld" key=(null)
>
> People can more easily help if this were interpreted. It yields this:
>
> node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
> 15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
> exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8
> a3=0x1f68
> items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
> suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none)
> ses=unset
> comm=mysqld key=(null)
>
>
> > I have tried the following:
> >
> > -a exit,never -F path=/usr/libexec/mysqld
>
> This only stops events that supply a path as an argument.
>
>
> > When using "-F" I noticed in one RHEL forum someone used -F exe=
> >
> > However in CENTOS exe is not a recognized field when using -F
>
> True. You can look at the auditctl man page to see what is supported.
>
>
> > We do not wish to audit this data, can someone please help me exclude the
> > audit?
>
> What this is saying is that mysql is calling sched_setparam and getting
> EINVAL. I have to ask why you would want this? You also don't set a key for
> the event which makes later analysis more difficult. You could re-write
> the rule
> as follows:
>
> -a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
>
>
> But this looks vaguely familiar...
> http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
>
> On page 12 I explain what's wrong with mysqld's code.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131209/d1f3221a/attachment.htm>
More information about the Linux-audit
mailing list