From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Exclude /usr/libexec/mysqld from audit.rules
Date: Mon, 09 Dec 2013 09:32:22 -0500 [thread overview]
Message-ID: <22012185.RRsLhnfhFh@x2> (raw)
In-Reply-To: <CAPZ=o6pj5rPkSS9Fk5YwKJv2Ei_pbmxhZZhCzXknoX6k1gSLxA@mail.gmail.com>
On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> ALCON,
>
> We have a Centos machine running Centos 6 and it uses mysql. When a
> standard user operates the system, our /var/log/messages gets filled up
> with around 2gb of audit data rather quickly. Here is the audit.
>
> Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> exe="/usr/libexec/mysqld" key=(null)
People can more easily help if this were interpreted. It yields this:
node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8 a3=0x1f68
items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none) ses=unset
comm=mysqld key=(null)
> I have tried the following:
>
> -a exit,never -F path=/usr/libexec/mysqld
This only stops events that supply a path as an argument.
> When using "-F" I noticed in one RHEL forum someone used -F exe=
>
> However in CENTOS exe is not a recognized field when using -F
True. You can look at the auditctl man page to see what is supported.
> We do not wish to audit this data, can someone please help me exclude the
> audit?
What this is saying is that mysql is calling sched_setparam and getting
EINVAL. I have to ask why you would want this? You also don't set a key for
the event which makes later analysis more difficult. You could re-write the rule
as follows:
-a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
But this looks vaguely familiar...
http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
On page 12 I explain what's wrong with mysqld's code.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2013-12-09 14:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-06 20:34 Exclude /usr/libexec/mysqld from audit.rules Derek Warner
2013-12-09 14:32 ` Steve Grubb [this message]
2013-12-09 15:20 ` Derek Warner
2013-12-09 15:34 ` Steve Grubb
2013-12-09 15:59 ` Derek Warner
2013-12-09 15:34 ` Derek Warner
2013-12-09 16:22 ` Steve Grubb
2013-12-10 17:54 ` Derek Warner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22012185.RRsLhnfhFh@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox