* Exclude /usr/libexec/mysqld from audit.rules
@ 2013-12-06 20:34 Derek Warner
2013-12-09 14:32 ` Steve Grubb
0 siblings, 1 reply; 8+ messages in thread
From: Derek Warner @ 2013-12-06 20:34 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1114 bytes --]
ALCON,
We have a Centos machine running Centos 6 and it uses mysql. When a
standard user operates the system, our /var/log/messages gets filled up
with around 2gb of audit data rather quickly. Here is the audit.
Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
exe="/usr/libexec/mysqld" key=(null)
I have tried the following:
-a exit,never -F path=/usr/libexec/mysqld
When using "-F" I noticed in one RHEL forum someone used -F exe=
However in CENTOS exe is not a recognized field when using -F
We do not wish to audit this data, can someone please help me exclude the
audit?
V/R
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner@riptidesoftware.com
derek.a.warner@us.army.mil
[-- Attachment #1.2: Type: text/html, Size: 1911 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Exclude /usr/libexec/mysqld from audit.rules
2013-12-06 20:34 Exclude /usr/libexec/mysqld from audit.rules Derek Warner
@ 2013-12-09 14:32 ` Steve Grubb
2013-12-09 15:20 ` Derek Warner
2013-12-09 15:34 ` Derek Warner
0 siblings, 2 replies; 8+ messages in thread
From: Steve Grubb @ 2013-12-09 14:32 UTC (permalink / raw)
To: linux-audit
On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> ALCON,
>
> We have a Centos machine running Centos 6 and it uses mysql. When a
> standard user operates the system, our /var/log/messages gets filled up
> with around 2gb of audit data rather quickly. Here is the audit.
>
> Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> exe="/usr/libexec/mysqld" key=(null)
People can more easily help if this were interpreted. It yields this:
node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8 a3=0x1f68
items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none) ses=unset
comm=mysqld key=(null)
> I have tried the following:
>
> -a exit,never -F path=/usr/libexec/mysqld
This only stops events that supply a path as an argument.
> When using "-F" I noticed in one RHEL forum someone used -F exe=
>
> However in CENTOS exe is not a recognized field when using -F
True. You can look at the auditctl man page to see what is supported.
> We do not wish to audit this data, can someone please help me exclude the
> audit?
What this is saying is that mysql is calling sched_setparam and getting
EINVAL. I have to ask why you would want this? You also don't set a key for
the event which makes later analysis more difficult. You could re-write the rule
as follows:
-a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
But this looks vaguely familiar...
http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
On page 12 I explain what's wrong with mysqld's code.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Exclude /usr/libexec/mysqld from audit.rules
2013-12-09 14:32 ` Steve Grubb
@ 2013-12-09 15:20 ` Derek Warner
2013-12-09 15:34 ` Steve Grubb
2013-12-09 15:34 ` Derek Warner
1 sibling, 1 reply; 8+ messages in thread
From: Derek Warner @ 2013-12-09 15:20 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 3375 bytes --]
Steve,
This machine is on Marine Corp network and is undergoing DISA RHEL 5 STIG.
We have a software package called CAARS which is simply an "After Action
Review" suite of software. The CAARS grabs events from the simulation,
audio, and a host of other items to enable the soldier to quickly put
together an after action review with his troops to review the just
completed training scenario.
CAARS has a mysql database. Post STIG I received a bug notice from OnTIME
which said the /var/log/messages file is filling up fast. After a qiuck
review, I noticed the log entry posted in this email chain.
How did you "interpret" the log setting to retreive the syscall
"sched_setparam"?
Anyhow I am not sure why we want this, I have no idea what the
sched_setparam actually does. Did you do a lookup on the mysql syscall
number?
Again, I always appreciate your assistance.
V/R
Derek
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner@riptidesoftware.com
derek.a.warner@us.army.mil
On Mon, Dec 9, 2013 at 9:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> > ALCON,
> >
> > We have a Centos machine running Centos 6 and it uses mysql. When a
> > standard user operates the system, our /var/log/messages gets filled up
> > with around 2gb of audit data rather quickly. Here is the audit.
> >
> > Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> > msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> > exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> > pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> > egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> > exe="/usr/libexec/mysqld" key=(null)
>
> People can more easily help if this were interpreted. It yields this:
>
> node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
> 15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
> exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8
> a3=0x1f68
> items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
> suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none)
> ses=unset
> comm=mysqld key=(null)
>
>
> > I have tried the following:
> >
> > -a exit,never -F path=/usr/libexec/mysqld
>
> This only stops events that supply a path as an argument.
>
>
> > When using "-F" I noticed in one RHEL forum someone used -F exe=
> >
> > However in CENTOS exe is not a recognized field when using -F
>
> True. You can look at the auditctl man page to see what is supported.
>
>
> > We do not wish to audit this data, can someone please help me exclude the
> > audit?
>
> What this is saying is that mysql is calling sched_setparam and getting
> EINVAL. I have to ask why you would want this? You also don't set a key for
> the event which makes later analysis more difficult. You could re-write
> the rule
> as follows:
>
> -a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
>
>
> But this looks vaguely familiar...
> http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
>
> On page 12 I explain what's wrong with mysqld's code.
>
> -Steve
>
[-- Attachment #1.2: Type: text/html, Size: 5554 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Exclude /usr/libexec/mysqld from audit.rules
2013-12-09 15:20 ` Derek Warner
@ 2013-12-09 15:34 ` Steve Grubb
2013-12-09 15:59 ` Derek Warner
0 siblings, 1 reply; 8+ messages in thread
From: Steve Grubb @ 2013-12-09 15:34 UTC (permalink / raw)
To: Derek Warner; +Cc: linux-audit
On Monday, December 09, 2013 10:20:41 AM Derek Warner wrote:
> How did you "interpret" the log setting to retreive the syscall
> "sched_setparam"?
I copied the text and ran it through ausearch with the '-i' commandline
option.
> Anyhow I am not sure why we want this, I have no idea what the
> sched_setparam actually does.
It changes the priority of the process. Which is not exactly security
critical. For concerns in this area, one would generally set rlimits to
prevent a resource hog. Additionally, if you really, really wanted to see
this, you'd only want the ones that succeed or fail due to EPERM.
>Did you do a lookup on the mysql syscall number?
No, I used the audit tools to check it.
-Steve
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Exclude /usr/libexec/mysqld from audit.rules
2013-12-09 15:34 ` Steve Grubb
@ 2013-12-09 15:59 ` Derek Warner
0 siblings, 0 replies; 8+ messages in thread
From: Derek Warner @ 2013-12-09 15:59 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1229 bytes --]
Steve,
Thanks again, I am really trying to get my linux skills sharpened as I have
been unfortunately raised in the windows world. It does pay the bills
though.
V/R
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner@riptidesoftware.com
derek.a.warner@us.army.mil
On Mon, Dec 9, 2013 at 10:34 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Monday, December 09, 2013 10:20:41 AM Derek Warner wrote:
> > How did you "interpret" the log setting to retreive the syscall
> > "sched_setparam"?
>
> I copied the text and ran it through ausearch with the '-i' commandline
> option.
>
>
> > Anyhow I am not sure why we want this, I have no idea what the
> > sched_setparam actually does.
>
> It changes the priority of the process. Which is not exactly security
> critical. For concerns in this area, one would generally set rlimits to
> prevent a resource hog. Additionally, if you really, really wanted to see
> this, you'd only want the ones that succeed or fail due to EPERM.
>
>
> >Did you do a lookup on the mysql syscall number?
>
> No, I used the audit tools to check it.
>
> -Steve
>
>
[-- Attachment #1.2: Type: text/html, Size: 2459 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Exclude /usr/libexec/mysqld from audit.rules
2013-12-09 14:32 ` Steve Grubb
2013-12-09 15:20 ` Derek Warner
@ 2013-12-09 15:34 ` Derek Warner
2013-12-09 16:22 ` Steve Grubb
1 sibling, 1 reply; 8+ messages in thread
From: Derek Warner @ 2013-12-09 15:34 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 2623 bytes --]
I get it. Is this something that is identified for a fix in RHEL? Since
RHEL ports the mysql would it be mysql that provides the fix or RHEL?
V/R
Derek
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner@riptidesoftware.com
derek.a.warner@us.army.mil
On Mon, Dec 9, 2013 at 9:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> > ALCON,
> >
> > We have a Centos machine running Centos 6 and it uses mysql. When a
> > standard user operates the system, our /var/log/messages gets filled up
> > with around 2gb of audit data rather quickly. Here is the audit.
> >
> > Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> > msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> > exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> > pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> > egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> > exe="/usr/libexec/mysqld" key=(null)
>
> People can more easily help if this were interpreted. It yields this:
>
> node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
> 15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
> exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8
> a3=0x1f68
> items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
> suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none)
> ses=unset
> comm=mysqld key=(null)
>
>
> > I have tried the following:
> >
> > -a exit,never -F path=/usr/libexec/mysqld
>
> This only stops events that supply a path as an argument.
>
>
> > When using "-F" I noticed in one RHEL forum someone used -F exe=
> >
> > However in CENTOS exe is not a recognized field when using -F
>
> True. You can look at the auditctl man page to see what is supported.
>
>
> > We do not wish to audit this data, can someone please help me exclude the
> > audit?
>
> What this is saying is that mysql is calling sched_setparam and getting
> EINVAL. I have to ask why you would want this? You also don't set a key for
> the event which makes later analysis more difficult. You could re-write
> the rule
> as follows:
>
> -a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
>
>
> But this looks vaguely familiar...
> http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
>
> On page 12 I explain what's wrong with mysqld's code.
>
> -Steve
>
[-- Attachment #1.2: Type: text/html, Size: 4058 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Exclude /usr/libexec/mysqld from audit.rules
2013-12-09 15:34 ` Derek Warner
@ 2013-12-09 16:22 ` Steve Grubb
2013-12-10 17:54 ` Derek Warner
0 siblings, 1 reply; 8+ messages in thread
From: Steve Grubb @ 2013-12-09 16:22 UTC (permalink / raw)
To: Derek Warner; +Cc: linux-audit
On Monday, December 09, 2013 10:34:49 AM Derek Warner wrote:
> Is this something that is identified for a fix in RHEL?
No. I did report it and it was worked on Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=477624
> Since RHEL ports the mysql would it be mysql that provides the fix or RHEL?
No one has complained. In my opinion, the audit rules you have are broken.
Mysql was "doing it wrong" also. But I believe it was fixed upstream in later
releases.
-Steve
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Exclude /usr/libexec/mysqld from audit.rules
2013-12-09 16:22 ` Steve Grubb
@ 2013-12-10 17:54 ` Derek Warner
0 siblings, 0 replies; 8+ messages in thread
From: Derek Warner @ 2013-12-10 17:54 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 869 bytes --]
Steve,
Thank you very much. I have corrected my audit.rules.
:)
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner@riptidesoftware.com
derek.a.warner@us.army.mil
On Mon, Dec 9, 2013 at 11:22 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Monday, December 09, 2013 10:34:49 AM Derek Warner wrote:
> > Is this something that is identified for a fix in RHEL?
>
> No. I did report it and it was worked on Fedora:
> https://bugzilla.redhat.com/show_bug.cgi?id=477624
>
> > Since RHEL ports the mysql would it be mysql that provides the fix or
> RHEL?
>
> No one has complained. In my opinion, the audit rules you have are broken.
> Mysql was "doing it wrong" also. But I believe it was fixed upstream in
> later
> releases.
>
> -Steve
>
>
[-- Attachment #1.2: Type: text/html, Size: 2121 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2013-12-10 17:54 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-06 20:34 Exclude /usr/libexec/mysqld from audit.rules Derek Warner
2013-12-09 14:32 ` Steve Grubb
2013-12-09 15:20 ` Derek Warner
2013-12-09 15:34 ` Steve Grubb
2013-12-09 15:59 ` Derek Warner
2013-12-09 15:34 ` Derek Warner
2013-12-09 16:22 ` Steve Grubb
2013-12-10 17:54 ` Derek Warner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox