Exclude /usr/libexec/mysqld from audit.rules

Exclude /usr/libexec/mysqld from audit.rules

[Derek Warner]

[-- Attachment #1.1: Type: text/plain, Size: 1114 bytes --]

ALCON,

We have a Centos machine running Centos 6 and it uses mysql. When a
standard user operates the system, our /var/log/messages gets filled up
with around 2gb of audit data rather quickly. Here is the audit.

Dec  6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
exe="/usr/libexec/mysqld" key=(null)

I have tried the following:

-a exit,never -F path=/usr/libexec/mysqld

When using "-F" I noticed in one RHEL forum someone used -F exe=

However in CENTOS exe is not a recognized field when using -F

We do not wish to audit this data, can someone please help me exclude the
audit?

V/R

Derek Warner – CISSP-ISSEP

Information System Security Engineer

Riptide Software

w- 321-296-0068 x 136

c-  407-716-9223

derek.warner@riptidesoftware.com

derek.a.warner@us.army.mil

[-- Attachment #1.2: Type: text/html, Size: 1911 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Exclude /usr/libexec/mysqld from audit.rules

[Steve Grubb]

On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> ALCON,
> 
> We have a Centos machine running Centos 6 and it uses mysql. When a
> standard user operates the system, our /var/log/messages gets filled up
> with around 2gb of audit data rather quickly. Here is the audit.
> 
> Dec  6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> exe="/usr/libexec/mysqld" key=(null)

People can more easily help if this were interpreted. It yields this:

node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013 
15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no 
exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8 a3=0x1f68 
items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi 
suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none) ses=unset 
comm=mysqld key=(null)


> I have tried the following:
> 
> -a exit,never -F path=/usr/libexec/mysqld

This only stops events that supply a path as an argument.

 
> When using "-F" I noticed in one RHEL forum someone used -F exe=
> 
> However in CENTOS exe is not a recognized field when using -F

True. You can look at the auditctl man page to see what is supported.


> We do not wish to audit this data, can someone please help me exclude the
> audit?

What this is saying is that mysql is calling sched_setparam and getting 
EINVAL. I have to ask why you would want this? You also don't set a key for 
the event which makes later analysis more difficult. You could re-write the rule 
as follows:

-a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL


But this looks vaguely familiar...
http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf‎

On page 12 I explain what's wrong with mysqld's code.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Exclude /usr/libexec/mysqld from audit.rules

[Derek Warner]

[-- Attachment #1.1: Type: text/plain, Size: 3375 bytes --]

Steve,

This machine is on Marine Corp network and is undergoing DISA RHEL 5 STIG.
We have a software package called CAARS which is simply an "After Action
Review" suite of software. The CAARS grabs events from the simulation,
audio, and a host of other items to enable the soldier to quickly put
together an after action review with his troops to review the just
completed training scenario.

CAARS has a mysql database. Post STIG I received a bug notice from OnTIME
which said the /var/log/messages file is filling up fast. After a qiuck
review, I noticed the log entry posted in this email chain.

How did you "interpret" the log setting to retreive the syscall
"sched_setparam"?
Anyhow I am not sure why we want this, I have no idea what the
sched_setparam actually does. Did you do a lookup on the mysql syscall
number?

Again, I always appreciate your assistance.

V/R


Derek



Derek Warner – CISSP-ISSEP

Information System Security Engineer

Riptide Software

w- 321-296-0068 x 136

c-  407-716-9223

derek.warner@riptidesoftware.com

derek.a.warner@us.army.mil


On Mon, Dec 9, 2013 at 9:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> > ALCON,
> >
> > We have a Centos machine running Centos 6 and it uses mysql. When a
> > standard user operates the system, our /var/log/messages gets filled up
> > with around 2gb of audit data rather quickly. Here is the audit.
> >
> > Dec  6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> > msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> > exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> > pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> > egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> > exe="/usr/libexec/mysqld" key=(null)
>
> People can more easily help if this were interpreted. It yields this:
>
> node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
> 15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
> exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8
> a3=0x1f68
> items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
> suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none)
> ses=unset
> comm=mysqld key=(null)
>
>
> > I have tried the following:
> >
> > -a exit,never -F path=/usr/libexec/mysqld
>
> This only stops events that supply a path as an argument.
>
>
> > When using "-F" I noticed in one RHEL forum someone used -F exe=
> >
> > However in CENTOS exe is not a recognized field when using -F
>
> True. You can look at the auditctl man page to see what is supported.
>
>
> > We do not wish to audit this data, can someone please help me exclude the
> > audit?
>
> What this is saying is that mysql is calling sched_setparam and getting
> EINVAL. I have to ask why you would want this? You also don't set a key for
> the event which makes later analysis more difficult. You could re-write
> the rule
> as follows:
>
> -a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
>
>
> But this looks vaguely familiar...
> http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
>
> On page 12 I explain what's wrong with mysqld's code.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 5554 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Exclude /usr/libexec/mysqld from audit.rules

[Steve Grubb]

On Monday, December 09, 2013 10:20:41 AM Derek Warner wrote:
> How did you "interpret" the log setting to retreive the syscall
> "sched_setparam"?

I copied the text and ran it through ausearch with the '-i' commandline 
option.


> Anyhow I am not sure why we want this, I have no idea what the
> sched_setparam actually does. 

It changes the priority of the process. Which is not exactly security 
critical. For concerns in this area, one would generally set rlimits to 
prevent a resource hog. Additionally, if you really, really wanted to see 
this, you'd only want the ones that succeed or fail due to EPERM.


>Did you do a lookup on the mysql syscall number?

No, I used the audit tools to check it.

-Steve

Re: Exclude /usr/libexec/mysqld from audit.rules

[Derek Warner]

[-- Attachment #1.1: Type: text/plain, Size: 2623 bytes --]

I get it. Is this something that is identified for a fix in RHEL? Since
RHEL ports the mysql would it be mysql that provides the fix or RHEL?

V/R

Derek

Derek Warner – CISSP-ISSEP

Information System Security Engineer

Riptide Software

w- 321-296-0068 x 136

c-  407-716-9223

derek.warner@riptidesoftware.com

derek.a.warner@us.army.mil


On Mon, Dec 9, 2013 at 9:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote:
> > ALCON,
> >
> > We have a Centos machine running Centos 6 and it uses mysql. When a
> > standard user operates the system, our /var/log/messages gets filled up
> > with around 2gb of audit data rather quickly. Here is the audit.
> >
> > Dec  6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
> > msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
> > exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
> > pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
> > egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
> > exe="/usr/libexec/mysqld" key=(null)
>
> People can more easily help if this were interpreted. It yields this:
>
> node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013
> 15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no
> exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8
> a3=0x1f68
> items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi
> suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none)
> ses=unset
> comm=mysqld key=(null)
>
>
> > I have tried the following:
> >
> > -a exit,never -F path=/usr/libexec/mysqld
>
> This only stops events that supply a path as an argument.
>
>
> > When using "-F" I noticed in one RHEL forum someone used -F exe=
> >
> > However in CENTOS exe is not a recognized field when using -F
>
> True. You can look at the auditctl man page to see what is supported.
>
>
> > We do not wish to audit this data, can someone please help me exclude the
> > audit?
>
> What this is saying is that mysql is calling sched_setparam and getting
> EINVAL. I have to ask why you would want this? You also don't set a key for
> the event which makes later analysis more difficult. You could re-write
> the rule
> as follows:
>
> -a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL
>
>
> But this looks vaguely familiar...
> http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
>
> On page 12 I explain what's wrong with mysqld's code.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 4058 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Exclude /usr/libexec/mysqld from audit.rules

[Derek Warner]

[-- Attachment #1.1: Type: text/plain, Size: 1229 bytes --]

Steve,

Thanks again, I am really trying to get my linux skills sharpened as I have
been unfortunately raised in the windows world. It does pay the bills
though.

V/R

Derek Warner – CISSP-ISSEP

Information System Security Engineer

Riptide Software

w- 321-296-0068 x 136

c-  407-716-9223

derek.warner@riptidesoftware.com

derek.a.warner@us.army.mil


On Mon, Dec 9, 2013 at 10:34 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Monday, December 09, 2013 10:20:41 AM Derek Warner wrote:
> > How did you "interpret" the log setting to retreive the syscall
> > "sched_setparam"?
>
> I copied the text and ran it through ausearch with the '-i' commandline
> option.
>
>
> > Anyhow I am not sure why we want this, I have no idea what the
> > sched_setparam actually does.
>
> It changes the priority of the process. Which is not exactly security
> critical. For concerns in this area, one would generally set rlimits to
> prevent a resource hog. Additionally, if you really, really wanted to see
> this, you'd only want the ones that succeed or fail due to EPERM.
>
>
> >Did you do a lookup on the mysql syscall number?
>
> No, I used the audit tools to check it.
>
> -Steve
>
>

[-- Attachment #1.2: Type: text/html, Size: 2459 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Exclude /usr/libexec/mysqld from audit.rules

[Steve Grubb]

On Monday, December 09, 2013 10:34:49 AM Derek Warner wrote:
> Is this something that is identified for a fix in RHEL?

No. I did report it and it was worked on Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=477624

> Since RHEL ports the mysql would it be mysql that provides the fix or RHEL?

No one has complained. In my opinion, the audit rules you have are broken. 
Mysql was "doing it wrong" also. But I believe it was fixed upstream in later 
releases.

-Steve

Re: Exclude /usr/libexec/mysqld from audit.rules

[Derek Warner]

[-- Attachment #1.1: Type: text/plain, Size: 869 bytes --]

Steve,

Thank you very much. I have corrected my audit.rules.

:)

Derek Warner – CISSP-ISSEP

Information System Security Engineer

Riptide Software

w- 321-296-0068 x 136

c-  407-716-9223

derek.warner@riptidesoftware.com

derek.a.warner@us.army.mil


On Mon, Dec 9, 2013 at 11:22 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Monday, December 09, 2013 10:34:49 AM Derek Warner wrote:
> > Is this something that is identified for a fix in RHEL?
>
> No. I did report it and it was worked on Fedora:
> https://bugzilla.redhat.com/show_bug.cgi?id=477624
>
> > Since RHEL ports the mysql would it be mysql that provides the fix or
> RHEL?
>
> No one has complained. In my opinion, the audit rules you have are broken.
> Mysql was "doing it wrong" also. But I believe it was fixed upstream in
> later
> releases.
>
> -Steve
>
>

[-- Attachment #1.2: Type: text/html, Size: 2121 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]