From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Exclude /usr/libexec/mysqld from audit.rules
Date: Mon, 09 Dec 2013 09:32:22 -0500 [thread overview]
Message-ID: <22012185.RRsLhnfhFh@x2> (raw)
In-Reply-To: <CAPZ=o6pj5rPkSS9Fk5YwKJv2Ei_pbmxhZZhCzXknoX6k1gSLxA@mail.gmail.com>
On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> ALCON,
>
> We have a Centos machine running Centos 6 and it uses mysql. When a
> standard user operates the system, our /var/log/messages gets filled up
> with around 2gb of audit data rather quickly. Here is the audit.
>
> Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> exe="/usr/libexec/mysqld" key=(null)
People can more easily help if this were interpreted. It yields this:
node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8 a3=0x1f68
items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none) ses=unset
comm=mysqld key=(null)
> I have tried the following:
>
> -a exit,never -F path=/usr/libexec/mysqld
This only stops events that supply a path as an argument.
> When using "-F" I noticed in one RHEL forum someone used -F exe=
>
> However in CENTOS exe is not a recognized field when using -F
True. You can look at the auditctl man page to see what is supported.
> We do not wish to audit this data, can someone please help me exclude the
> audit?
What this is saying is that mysql is calling sched_setparam and getting
EINVAL. I have to ask why you would want this? You also don't set a key for
the event which makes later analysis more difficult. You could re-write the rule
as follows:
-a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
But this looks vaguely familiar...
http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
On page 12 I explain what's wrong with mysqld's code.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2013-12-09 14:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-06 20:34 Exclude /usr/libexec/mysqld from audit.rules Derek Warner
2013-12-09 14:32 ` Steve Grubb [this message]
2013-12-09 15:20 ` Derek Warner
2013-12-09 15:34 ` Steve Grubb
2013-12-09 15:59 ` Derek Warner
2013-12-09 15:34 ` Derek Warner
2013-12-09 16:22 ` Steve Grubb
2013-12-10 17:54 ` Derek Warner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22012185.RRsLhnfhFh@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.