Re: Sample logs of alert types

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Zaina AFOULKI <zaina.afoulki@ensi-bourges.fr>
Cc: selinux@tycho.nsa.gov
Subject: Re: Sample logs of alert types
Date: Wed, 09 Dec 2009 13:16:15 -0500	[thread overview]
Message-ID: <4B1FE96F.90201@redhat.com> (raw)
In-Reply-To: <1f53dffb3e370e5bafc0c2ed98eed589.squirrel@webmail.ensi-bourges.fr>

On 12/08/2009 10:04 AM, Zaina AFOULKI wrote:
> Hello,
> 
> We are trying to develop a graphical interface for SELinux alerts...
> We noticed that each log for a specific alert is different from the one of
> other types. For example:
> 
> type=AVC msg=audit(12/03/2007 12:44:48.301:140) : avc:  denied  { getattr
> } for  pid=2816 comm=vi path=/root/xorg.conf.new dev=sda1 ino=131104
> scontext=staff_u:staff_r:staff_sudo_t:s0
> tcontext=root:object_r:sysadm_home_t:s0 tclass=file
> 
> 
> type=SYSCALL msg=audit(12/03/2007 12:44:48.325:141) : arch=i386
> syscall=access success=yes exit=0 a0=88caaa8 a1=2 a2=1a4 a3=1 items=0
> ppid=2784 pid=2816 auid=gmarzot uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=vi exe=/bin/vi
> subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)
> 
> Currently we know how the log looks like for the following types:
> DAEMON_START  ANOM_ABEND AVC CONFIG_CHANGE CRED_ACQ CRED_DISP DAEMON_END
> LOGIN MAC_STATUS SELINUX_ERR SYSCALL SYSTEM_RUNLEVEL SYSTEM_SHUTDOWN
> USER_ACCT USER_AUTH USER_AVC USER_CHAUTHTOK USER_CMD USER_END USER_ERR
> USER_LOGIN USER_ROLE_CHANGE USER_START
> 
> We really need to know the look of each alert in the log file.
> Is there a way we can get a sample of each log type?
> Your help will be greatly appreciated.
> 
> Thanks in advance,
> 
> 
I think this is more of an audit question.

Are you asking to see what an AVC audit message looks like?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2009-12-09 18:16 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-12-08 15:04 Sample logs of alert types Zaina AFOULKI
2009-12-09 18:16 ` Daniel J Walsh [this message]
2009-12-10 17:55 ` Guido Trentalancia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B1FE96F.90201@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=selinux@tycho.nsa.gov \
    --cc=zaina.afoulki@ensi-bourges.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.