From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Bill Tangren" Subject: Re: the meaning of this audit entry Date: Tue, 20 Nov 2007 10:08:08 -0500 (EST) Message-ID: <1763.10.1.5.75.1195571288.squirrel@aa.usno.navy.mil> References: <12635.72.245.30.196.1195507332.squirrel@aa.usno.navy.mil> <1195510425.6013.16.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id lAKF8Z87029657 for ; Tue, 20 Nov 2007 10:08:35 -0500 Received: from aa.usno.navy.mil (beatrix.usno.navy.mil [198.116.61.254]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id lAKF8ErN015010 for ; Tue, 20 Nov 2007 10:08:14 -0500 In-Reply-To: <1195510425.6013.16.camel@localhost.localdomain> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On DATE, the author spaketh: Matthew Booth > Bill, > > On Mon, 2007-11-19 at 16:22 -0500, Bill Tangren wrote: >> I'd like to know what this audit log entry means: >> >> type=3DSYSCALL msg=3Daudit(1195506796.447:7712726): arch=3D40000003 sy= scall=3D3 >> successo exit=3D-11 a0=3D17 a1=3Da6c5b80 a2=3D1000 a3=3Da6c4d90 items=3D= 0 pid=3D3618 >> auid=3D825305204 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0 = sgid=3D0 fsgid=3D0 >> comm=3D"X" exe=3D"/usr/X11R6/bin/Xorg" > > arch=3D40000003 syscall=3D3 is an i386 read() call. -11 is EAGAIN, whic= h is > a temporary failure. The event itself is nothing to worry about. Except that it is putting 500MB into the logs every day. > > However, the audit rules you give below don't appear to specify read(), > so it's not immediately apparent why this would be showing up. The > x86_64 syscall=3D3 is close(), which you also don't specify. Have you g= ot > any other rules in there which you haven't listed? Do you start your > audit.rules with a '-D'? Yes, I start with this. > >> It appears that there is a problem with /usr/X11R6/bin/Xorg, and it is >> issuing a failed syscall. I can tell you that I see this if there is a >> user logged into the console GUI. >> >> The following are the rules that I have that are auditing syscalls: > > Although I haven't specifically tested this, I believe that in every > case below where you've got -F auid=3Dfoo -F auid=3Dbar, the rule will = never > match. The reason for this is because filters are combined with and, no= t > or. Well, I'm just finding that out. Obviously I have to rewrite all my rules= , or most of them, anyway. I'd like to blame someone else for the rules, since I was given these and told to use them, but I should know better. Obviously I have a lot to learn. I wish there was a tutorial or something I could read. I've gone over the man page, but I'm not learning enough from it. I'll star by splitting up the auid=3D rules, and observe what shows up in the logs. I've tried running the ausearch function, but it can take a really long time to return, even when I tell it to start only ten minutes ago. > >> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=3D= 0 -F >> auid=3D-1 -F auid=3D0 >> >> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=3D= 1 >> >> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S >> fdatasync -S setdomainname -F success=3D0 -F auid=3D-1 -F auid=3D0 >> >> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S >> fdatasync -S setdomainname -F success=3D1 -F auid=3D-1 -F auid=3D0 >> >> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=3D0 -= F >> auid=3D-1 -F auid=3D0 >> >> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=3D1 -= F >> auid=3D-1 -F auid=3D0 > > Matt > -- --=20 Bill Tangren U.S. Naval Observatory