Re: audit 1.7.4 released

All of lore.kernel.org
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: audit 1.7.4 released
Date: Tue, 27 May 2008 10:50:31 -0500	[thread overview]
Message-ID: <1211903431.6568.41.camel@homeserver> (raw)
In-Reply-To: <200805191450.06153.sgrubb@redhat.com>

Steve,

I am testing 1.7.4 (with mls permissive policy):
audit-viewer-0.2-2.fc9.x86_64
audit-libs-python-1.7.4-1.fc9.x86_64
system-config-audit-0.4.7-1.fc9.x86_64
audit-1.7.4-1.fc9.x86_64
audit-libs-devel-1.7.4-1.fc9.x86_64
audit-debuginfo-1.7.3-1.fc9.x86_64
audit-libs-1.7.4-1.fc9.x86_64
audit-libs-1.7.4-1.fc9.i386

I moved all the old audit out of the way, so all records would be new,
and see this after reboot:

[root@hugo ~]# aureport -h -i --summary

Host Summary Report
===========================
total  host
===========================
223  ?
12  homeserver
8  127.0.0.1
6  0.0.0.0

The "?" entries are application audits - I am going to look, maybe they
have an error on the way we are sending those in.

The ones I don't understand are the "0.0.0.0" entries. Here is an
example of one of those:

[root@hugo ~]# ausearch -hn 0.0.0.0 -i --just-one
----
type=SOCKADDR msg=audit(05/27/2008 10:30:22.163:13193) : saddr=inet
host:0.0.0.0 serv:711 
type=SYSCALL msg=audit(05/27/2008 10:30:22.163:13193) : arch=x86_64
syscall=bind success=yes exit=0 a0=5 a1=7fff63dbb220 a2=10 a3=89ea70
items=0 ppid=1 pid=2647 auid=unset uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295
comm=rpc.rquotad exe=/usr/sbin/rpc.rquotad
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(05/27/2008 10:30:22.163:13193) : avc:  denied
{ name_bind } for  pid=2647 comm=rpc.rquotad src=711
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket 

Is the host "0.0.0.0" field here a bug? 
Once we aggregate these would be tough to separate. Also the localhost
ones I guess:

[root@hugo ~]# ausearch -hn 127.0.0.1 -i --just-one
----
type=SOCKADDR msg=audit(05/27/2008 10:30:22.022:13190) : saddr=inet
host:127.0.0.1 serv:750 
type=SYSCALL msg=audit(05/27/2008 10:30:22.022:13190) : arch=x86_64
syscall=sendto success=yes exit=28 a0=6 a1=7f56310606e0 a2=1c a3=0
items=0 ppid=1 pid=2189 auid=unset uid=rpc gid=root euid=rpc suid=rpc
fsuid=rpc egid=root sgid=root fsgid=root tty=(none) ses=4294967295
comm=rpcbind exe=/sbin/rpcbind
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(05/27/2008 10:30:22.022:13190) : avc:  denied
{ recvfrom } for  pid=2189 comm=rpcbind saddr=127.0.0.1 src=111
daddr=127.0.0.1 dest=750 netif=lo
scontext=system_u:system_r:nfsd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=association 

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

next prev parent reply	other threads:[~2008-05-27 15:50 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-19 18:50 audit 1.7.4 released Steve Grubb
2008-05-27 15:50 ` LC Bruzenak [this message]
2008-05-27 15:59   ` Eric Paris
2008-05-27 16:09     ` LC Bruzenak
2008-05-27 16:10   ` Steve Grubb
2008-05-27 16:16     ` LC Bruzenak
2008-05-27 16:25       ` Steve Grubb
2008-05-27 17:20         ` LC Bruzenak
2008-05-27 16:57       ` Klaus Heinrich Kiwi
2008-05-27 17:15         ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1211903431.6568.41.camel@homeserver \
    --to=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.