* the meaning of this audit entry @ 2007-11-19 21:22 Bill Tangren 2007-11-19 22:06 ` Steve Grubb 2007-11-19 22:13 ` Matthew Booth 0 siblings, 2 replies; 9+ messages in thread From: Bill Tangren @ 2007-11-19 21:22 UTC (permalink / raw) To: linux-audit I'd like to know what this audit log entry means: type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3 success=no exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618 auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="X" exe="/usr/X11R6/bin/Xorg" It appears that there is a problem with /usr/X11R6/bin/Xorg, and it is issuing a failed syscall. I can tell you that I see this if there is a user logged into the console GUI. The following are the rules that I have that are auditing syscalls: -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=-1 -F auid=0 -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1 -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0 -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0 -a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F auid=-1 -F auid=0 -a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F auid=-1 -F auid=0 Is this being audited by default, or are one of the previous rules auditing it? Thanks! -- Bill Tangren U.S. Naval Observatory ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: the meaning of this audit entry 2007-11-19 21:22 the meaning of this audit entry Bill Tangren @ 2007-11-19 22:06 ` Steve Grubb 2007-11-20 15:36 ` Bill Tangren 2007-11-19 22:13 ` Matthew Booth 1 sibling, 1 reply; 9+ messages in thread From: Steve Grubb @ 2007-11-19 22:06 UTC (permalink / raw) To: linux-audit On Monday 19 November 2007 04:22:12 pm Bill Tangren wrote: > I'd like to know what this audit log entry means: It is easier to understand these when you give the '-i' option to ausearch. It changes things from numeric to text values. It also grounds all records that make up the event so that you can see all of it. > type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3 > success=no exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618 > auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > comm="X" exe="/usr/X11R6/bin/Xorg" I'm guessing that this is a failed read syscall that returned -EAGAIN. ausearch -i would have changed all those numbers to what I put above. > -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F > auid=-1 -F auid=0 -F options are and'ed together. In this case, they cancel each other out. > -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1 > > -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S > fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0 > > -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S > fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0 > > -a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F > auid=-1 -F auid=0 > > -a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F > auid=-1 -F auid=0 None of these rules do anything because the options conflict. > Is this being audited by default, or are one of the previous rules > auditing it? Hard to say without seeing the whole event that ausearch would output and seeing what auditctl -l shows. -Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: the meaning of this audit entry 2007-11-19 22:06 ` Steve Grubb @ 2007-11-20 15:36 ` Bill Tangren 2007-11-21 0:49 ` Mike Nixon 2007-11-21 2:22 ` Steve Grubb 0 siblings, 2 replies; 9+ messages in thread From: Bill Tangren @ 2007-11-20 15:36 UTC (permalink / raw) To: linux-audit On DATE, the author spaketh: Steve Grubb > On Monday 19 November 2007 04:22:12 pm Bill Tangren wrote: >> I'd like to know what this audit log entry means: > > It is easier to understand these when you give the '-i' option to > ausearch. It > changes things from numeric to text values. It also grounds all records > that > make up the event so that you can see all of it. For this event: type=SYSCALL msg=audit(1195572240.060:2971371): arch=40000003 syscall=3 success=no exit=-11 a0=12 a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=517 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="X" exe="/usr/X11R6/bin/Xorg" I issued this command: # ausearch -i -a 2971371 type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386 syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12 a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X exe=/usr/X11R6/bin/Xorg Now, this system is plugged into a KVM switch, and sometimes the sysadmin who logs into the GUI stays logged in for days (he forgots to log out), and the switch is changed to some other system. I don't know if any of this has anything to do with why I'm getting 500MB worth of logs every day, but I have noticed that the logs are this big whenever someone is logged into the GUI. BTW, this is a RHEL ES 4.6 system. -- Bill Tangren U.S. Naval Observatory ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: the meaning of this audit entry 2007-11-20 15:36 ` Bill Tangren @ 2007-11-21 0:49 ` Mike Nixon 2007-11-21 2:17 ` Steve Grubb 2007-11-21 2:22 ` Steve Grubb 1 sibling, 1 reply; 9+ messages in thread From: Mike Nixon @ 2007-11-21 0:49 UTC (permalink / raw) To: 'Bill Tangren', linux-audit Looks to me like someone that was logged in as 'root' attempted but failed to read a x-windows file. The relevant tipoffs are: syscall=3 (read) success=no (failed) uid=0 (root user account) comm="X" or exe="/usr/X11R6/bin/Xorg" Mike -----Original Message----- From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Bill Tangren Sent: Tuesday, November 20, 2007 10:37 AM To: linux-audit@redhat.com Subject: Re: the meaning of this audit entry On DATE, the author spaketh: Steve Grubb > On Monday 19 November 2007 04:22:12 pm Bill Tangren wrote: >> I'd like to know what this audit log entry means: > > It is easier to understand these when you give the '-i' option to > ausearch. It > changes things from numeric to text values. It also grounds all records > that > make up the event so that you can see all of it. For this event: type=SYSCALL msg=audit(1195572240.060:2971371): arch=40000003 syscall=3 success=no exit=-11 a0=12 a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=517 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="X" exe="/usr/X11R6/bin/Xorg" I issued this command: # ausearch -i -a 2971371 type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386 syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12 a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X exe=/usr/X11R6/bin/Xorg Now, this system is plugged into a KVM switch, and sometimes the sysadmin who logs into the GUI stays logged in for days (he forgots to log out), and the switch is changed to some other system. I don't know if any of this has anything to do with why I'm getting 500MB worth of logs every day, but I have noticed that the logs are this big whenever someone is logged into the GUI. BTW, this is a RHEL ES 4.6 system. -- Bill Tangren U.S. Naval Observatory -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.2/1142 - Release Date: 11/20/2007 5:44 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.2/1142 - Release Date: 11/20/2007 5:44 PM ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: the meaning of this audit entry 2007-11-21 0:49 ` Mike Nixon @ 2007-11-21 2:17 ` Steve Grubb 0 siblings, 0 replies; 9+ messages in thread From: Steve Grubb @ 2007-11-21 2:17 UTC (permalink / raw) To: linux-audit On Tuesday 20 November 2007 07:49:00 pm Mike Nixon wrote: > Looks to me like someone that was logged in as 'root' attempted but failed > to read a x-windows file. The relevant tipoffs are: > > syscall=3 (read) > success=no (failed) > uid=0 (root user account) > comm="X" or exe="/usr/X11R6/bin/Xorg" You are forgetting the exit code. In this case, it matters. :) -Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: the meaning of this audit entry 2007-11-20 15:36 ` Bill Tangren 2007-11-21 0:49 ` Mike Nixon @ 2007-11-21 2:22 ` Steve Grubb 1 sibling, 0 replies; 9+ messages in thread From: Steve Grubb @ 2007-11-21 2:22 UTC (permalink / raw) To: linux-audit On Tuesday 20 November 2007 10:36:47 am Bill Tangren wrote: > type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386 > syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12 > a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root > euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X > exe=/usr/X11R6/bin/Xorg Yeah, see this is a wee bit more readable. I think you have a rule for reads with success != yes. The only thing you might want to worry about is failed access attempts. They have success=no, but their exit code is different. > Now, this system is plugged into a KVM switch, and sometimes the sysadmin > who logs into the GUI stays logged in for days (he forgots to log out), I'd think some auto logout rules would solve that. ;) > I don't know if any of this has anything to do with why I'm getting 500MB > worth of logs every day, That is excessive. I think it shows you need to refactor your rules. -Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: the meaning of this audit entry 2007-11-19 21:22 the meaning of this audit entry Bill Tangren 2007-11-19 22:06 ` Steve Grubb @ 2007-11-19 22:13 ` Matthew Booth 2007-11-20 15:08 ` Bill Tangren 1 sibling, 1 reply; 9+ messages in thread From: Matthew Booth @ 2007-11-19 22:13 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2171 bytes --] Bill, On Mon, 2007-11-19 at 16:22 -0500, Bill Tangren wrote: > I'd like to know what this audit log entry means: > > type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3 > success=no exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618 > auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > comm="X" exe="/usr/X11R6/bin/Xorg" arch=40000003 syscall=3 is an i386 read() call. -11 is EAGAIN, which is a temporary failure. The event itself is nothing to worry about. However, the audit rules you give below don't appear to specify read(), so it's not immediately apparent why this would be showing up. The x86_64 syscall=3 is close(), which you also don't specify. Have you got any other rules in there which you haven't listed? Do you start your audit.rules with a '-D'? > It appears that there is a problem with /usr/X11R6/bin/Xorg, and it is > issuing a failed syscall. I can tell you that I see this if there is a > user logged into the console GUI. > > The following are the rules that I have that are auditing syscalls: Although I haven't specifically tested this, I believe that in every case below where you've got -F auid=foo -F auid=bar, the rule will never match. The reason for this is because filters are combined with and, not or. > -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F > auid=-1 -F auid=0 > > -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1 > > -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S > fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0 > > -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S > fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0 > > -a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F > auid=-1 -F auid=0 > > -a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F > auid=-1 -F auid=0 Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 [-- Attachment #1.2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: the meaning of this audit entry 2007-11-19 22:13 ` Matthew Booth @ 2007-11-20 15:08 ` Bill Tangren 2007-11-21 2:27 ` Steve Grubb 0 siblings, 1 reply; 9+ messages in thread From: Bill Tangren @ 2007-11-20 15:08 UTC (permalink / raw) To: linux-audit On DATE, the author spaketh: Matthew Booth > Bill, > > On Mon, 2007-11-19 at 16:22 -0500, Bill Tangren wrote: >> I'd like to know what this audit log entry means: >> >> type=SYSCALL msg=audit(1195506796.447:7712726): arch=40000003 syscall=3 >> successo exit=-11 a0=17 a1=a6c5b80 a2=1000 a3=a6c4d90 items=0 pid=3618 >> auid=825305204 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 >> comm="X" exe="/usr/X11R6/bin/Xorg" > > arch=40000003 syscall=3 is an i386 read() call. -11 is EAGAIN, which is > a temporary failure. The event itself is nothing to worry about. Except that it is putting 500MB into the logs every day. > > However, the audit rules you give below don't appear to specify read(), > so it's not immediately apparent why this would be showing up. The > x86_64 syscall=3 is close(), which you also don't specify. Have you got > any other rules in there which you haven't listed? Do you start your > audit.rules with a '-D'? Yes, I start with this. > >> It appears that there is a problem with /usr/X11R6/bin/Xorg, and it is >> issuing a failed syscall. I can tell you that I see this if there is a >> user logged into the console GUI. >> >> The following are the rules that I have that are auditing syscalls: > > Although I haven't specifically tested this, I believe that in every > case below where you've got -F auid=foo -F auid=bar, the rule will never > match. The reason for this is because filters are combined with and, not > or. Well, I'm just finding that out. Obviously I have to rewrite all my rules, or most of them, anyway. I'd like to blame someone else for the rules, since I was given these and told to use them, but I should know better. Obviously I have a lot to learn. I wish there was a tutorial or something I could read. I've gone over the man page, but I'm not learning enough from it. I'll star by splitting up the auid= rules, and observe what shows up in the logs. I've tried running the ausearch function, but it can take a really long time to return, even when I tell it to start only ten minutes ago. > >> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=0 -F >> auid=-1 -F auid=0 >> >> -a exit,always -S mknod -S acct -S swapon -S sethostname -F success=1 >> >> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S >> fdatasync -S setdomainname -F success=0 -F auid=-1 -F auid=0 >> >> -a exit,always -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S >> fdatasync -S setdomainname -F success=1 -F auid=-1 -F auid=0 >> >> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=0 -F >> auid=-1 -F auid=0 >> >> -a exit,always -S quotactl -S mount -S kill -S chroot -F success=1 -F >> auid=-1 -F auid=0 > > Matt > -- -- Bill Tangren U.S. Naval Observatory ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: the meaning of this audit entry 2007-11-20 15:08 ` Bill Tangren @ 2007-11-21 2:27 ` Steve Grubb 0 siblings, 0 replies; 9+ messages in thread From: Steve Grubb @ 2007-11-21 2:27 UTC (permalink / raw) To: linux-audit On Tuesday 20 November 2007 10:08:08 am Bill Tangren wrote: > Well, I'm just finding that out. Obviously I have to rewrite all my rules, > or most of them, anyway. I'd like to blame someone else for the rules, > since I was given these and told to use them, but I should know better. > Obviously I have a lot to learn. I wish there was a tutorial or something > I could read. I've gone over the man page, but I'm not learning enough > from it. Take a look at the capp.rules or nispom.rules file in the audit package. Those are real working rules that have been commented. That is where I would start if I were setting up a system. > I'll star by splitting up the auid= rules, and observe what shows up in > the logs. I think your issues are more fundamental than that. I think you have more rules than you shared with us and they are looking for unsuccessful calls and not considering the exit codes. There are plenty of people on this mail list that could help you with your rules if you told us what kinds of things you were needing to audit. -Steve ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2007-11-21 2:27 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-11-19 21:22 the meaning of this audit entry Bill Tangren 2007-11-19 22:06 ` Steve Grubb 2007-11-20 15:36 ` Bill Tangren 2007-11-21 0:49 ` Mike Nixon 2007-11-21 2:17 ` Steve Grubb 2007-11-21 2:22 ` Steve Grubb 2007-11-19 22:13 ` Matthew Booth 2007-11-20 15:08 ` Bill Tangren 2007-11-21 2:27 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox