* setroubleshooter/sealert on central loghost?
@ 2007-07-31 14:50 Jan-Frode Myklebust
2007-07-31 18:19 ` Steve G
2007-08-02 14:15 ` Daniel J Walsh
0 siblings, 2 replies; 5+ messages in thread
From: Jan-Frode Myklebust @ 2007-07-31 14:50 UTC (permalink / raw)
To: selinux
We run a centralized syslog server, and separate all syslogged avc
into a separate log file. Is it possible to have setroubleshooter/sealert
use this log file ?
Also it would be nice if one could get the correct "Host Name" in
the setroubleshhot browser and alerts. Guess that also will have
to be added to the avc-log lines is some format.. I tried faking it
with:
type=AVC msg=audit(1185725759.359:2945): avc: denied { search } for
pid=2077 hostname="my.hostname.com" comm="snmpd" name="fs" dev=proc
ino=4026531869 scontext=system_u:system_r:snmpd_t:s0
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
But the troubleshooter doesn't pick up the hostname. Any ideas ?
-jf
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: setroubleshooter/sealert on central loghost?
2007-07-31 14:50 setroubleshooter/sealert on central loghost? Jan-Frode Myklebust
@ 2007-07-31 18:19 ` Steve G
2007-08-02 14:15 ` Daniel J Walsh
1 sibling, 0 replies; 5+ messages in thread
From: Steve G @ 2007-07-31 18:19 UTC (permalink / raw)
To: Jan-Frode Myklebust, selinux
>We run a centralized syslog server, and separate all syslogged avc
>into a separate log file. Is it possible to have setroubleshooter/sealert
>use this log file ?
setroubleshoot can be told to use a particular file for an analysis. It normally
does analysis using the realtime audit stream. So I suspect you'd have to
manually run the analysis.
That said, we are working on centrally logging the audit events and reworking
setroubleshoot to work off that new datastream including the host names so that
you can do analysis correctly per machine.
-Steve
____________________________________________________________________________________
Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: setroubleshooter/sealert on central loghost?
2007-07-31 14:50 setroubleshooter/sealert on central loghost? Jan-Frode Myklebust
2007-07-31 18:19 ` Steve G
@ 2007-08-02 14:15 ` Daniel J Walsh
2007-08-05 20:57 ` Jan-Frode Myklebust
1 sibling, 1 reply; 5+ messages in thread
From: Daniel J Walsh @ 2007-08-02 14:15 UTC (permalink / raw)
To: Jan-Frode Myklebust; +Cc: selinux
Jan-Frode Myklebust wrote:
> We run a centralized syslog server, and separate all syslogged avc
> into a separate log file. Is it possible to have setroubleshooter/sealert
> use this log file ?
>
> Also it would be nice if one could get the correct "Host Name" in
> the setroubleshhot browser and alerts. Guess that also will have
> to be added to the avc-log lines is some format.. I tried faking it
> with:
>
> type=AVC msg=audit(1185725759.359:2945): avc: denied { search } for
> pid=2077 hostname="my.hostname.com" comm="snmpd" name="fs" dev=proc
> ino=4026531869 scontext=system_u:system_r:snmpd_t:s0
> tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
>
> But the troubleshooter doesn't pick up the hostname. Any ideas ?
>
>
> -jf
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
If you keep the logs separate you can use sealert on the log files.
sealert -a logfile
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: setroubleshooter/sealert on central loghost?
2007-08-02 14:15 ` Daniel J Walsh
@ 2007-08-05 20:57 ` Jan-Frode Myklebust
2007-08-06 0:36 ` Steve G
0 siblings, 1 reply; 5+ messages in thread
From: Jan-Frode Myklebust @ 2007-08-05 20:57 UTC (permalink / raw)
To: SELinux
On 2007-08-02, Daniel J Walsh <dwalsh@redhat.com> wrote:
> If you keep the logs separate you can use sealert on the log files.
>
> sealert -a logfile
This kind of works if I add a "type=AVC" to the syslogged lines,
but sealert doesn't show the hostname of the host that sent the
AVC. Any ideas for how to get the "Host Name" field in the sealert
browser to show the hostname ? What's the format sealert expects it
on ?
If I can find the format, I can probably have syslog-ng insert
it into the log entries.
-jf
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: setroubleshooter/sealert on central loghost?
2007-08-05 20:57 ` Jan-Frode Myklebust
@ 2007-08-06 0:36 ` Steve G
0 siblings, 0 replies; 5+ messages in thread
From: Steve G @ 2007-08-06 0:36 UTC (permalink / raw)
To: Jan-Frode Myklebust, SELinux
>but sealert doesn't show the hostname of the host that sent the
>AVC. Any ideas for how to get the "Host Name" field in the sealert
>browser to show the hostname ?
Like I was saying, we are just starting to write the code that does this kind of
thing, so nothing anywhere expects it.
>What's the format sealert expects it on ?
The syntax for the field is likely to be node=computer. But its exact placement
and who adds it (auditd vs audispd) is not settled.
-Steve
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.
http://smallbusiness.yahoo.com/webhosting
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-08-06 0:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-31 14:50 setroubleshooter/sealert on central loghost? Jan-Frode Myklebust
2007-07-31 18:19 ` Steve G
2007-08-02 14:15 ` Daniel J Walsh
2007-08-05 20:57 ` Jan-Frode Myklebust
2007-08-06 0:36 ` Steve G
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.