FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-09-2008, 03:39 PM
Steve Campbell
 
Default aide questions, please

I'm trying out aide since tripwire doesn't seem to be in the 5. releases
anymore. I do not have Selinux on the server (no at installation), and I
just yum installed the aide rpms, so I should have the latest.


When I run my aide --init, I get all of these lines for all the files:

lgetfilecon_raw failed for /usr/share/X11/app-defaults/XLogo:No data
available


I then copy the 'new' db file to the regular db file and run aide
--check, and it seems I get the above lines all over again. It's as
though the db files aren't being read. I noticed in the preceding
release of aide that problems existed and was related to Selinux and
the inability to read gz files. Am I doing something obviously wrong? Do
I need to do an --update or is this just when I get reports that
something has changed after the --init?


Thanks for any help and replies.

Steve Campbell

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 03:49 PM
"Jim Perrin"
 
Default aide questions, please

On Wed, Apr 9, 2008 at 11:39 AM, Steve Campbell <campbell@cnpapers.com> wrote:
> I'm trying out aide since tripwire doesn't seem to be in the 5. releases
> anymore. I do not have Selinux on the server (no at installation), and I
> just yum installed the aide rpms, so I should have the latest.
>
> When I run my aide --init, I get all of these lines for all the files:

There's an aide how-to for centos5 here ->
http://www.bofh-hunter.com/2007/12/04/centos-5-and-aide/

--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 04:03 PM
Steve Campbell
 
Default aide questions, please

Jim Perrin wrote:

On Wed, Apr 9, 2008 at 11:39 AM, Steve Campbell <campbell@cnpapers.com> wrote:


I'm trying out aide since tripwire doesn't seem to be in the 5. releases
anymore. I do not have Selinux on the server (no at installation), and I
just yum installed the aide rpms, so I should have the latest.

When I run my aide --init, I get all of these lines for all the files:



There's an aide how-to for centos5 here ->
http://www.bofh-hunter.com/2007/12/04/centos-5-and-aide/




Thanks Jim,

Believe it or not, that's what I started out with.

After running the entire --init/--check scenario again, I see in the log
files and the output, that all files get this message, and a normal
output of what should be there showing changed and unchanged files
appear at the bottom of the log. So what is this "lgetfilecon_raw failed
for" showing up for each file saying to me? Is it a verbosity setting,
or something like that?


Thanks

steve

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 04:12 PM
"Jim Perrin"
 
Default aide questions, please

On Wed, Apr 9, 2008 at 12:03 PM, Steve Campbell <campbell@cnpapers.com> wrote:
> Thanks Jim,
>
> Believe it or not, that's what I started out with.
>
> After running the entire --init/--check scenario again, I see in the log
> files and the output, that all files get this message, and a normal output
> of what should be there showing changed and unchanged files appear at the
> bottom of the log. So what is this "lgetfilecon_raw failed for" showing up
> for each file saying to me? Is it a verbosity setting, or something like
> that?

Mostly it's telling you that it can't get all the information about
the files it's checking. Are you doing this as root? Are you certain
that selinux is off? Have you modified any of the mount parameters
with noexec or anything else?


--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 04:31 PM
Steve Campbell
 
Default aide questions, please

Jim Perrin wrote:

On Wed, Apr 9, 2008 at 12:03 PM, Steve Campbell <campbell@cnpapers.com> wrote:


Thanks Jim,

Believe it or not, that's what I started out with.

After running the entire --init/--check scenario again, I see in the log
files and the output, that all files get this message, and a normal output
of what should be there showing changed and unchanged files appear at the
bottom of the log. So what is this "lgetfilecon_raw failed for" showing up
for each file saying to me? Is it a verbosity setting, or something like
that?



Mostly it's telling you that it can't get all the information about
the files it's checking. Are you doing this as root? Are you certain
that selinux is off? Have you modified any of the mount parameters
with noexec or anything else?




Jim,

Here's my mount list:

/dev/sda8 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda7 on /home type ext3 (rw)
/dev/sda9 on /opt type ext3 (rw)
/dev/sda5 on /tmp type ext3 (rw)
/dev/sda3 on /usr type ext3 (rw)
/dev/sdb1 on /usr/local type ext3 (rw)
/dev/sda2 on /var type ext3 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

I have one smb mounted for full system backups. This box is pretty
vanilla, as we run Thunderstone search engine on it. I believe that is
the only mods to the box after install, and I don't think it changed
anything else.


The aide --v looks like:

Aide 0.13.1

Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_LSTAT64
WITH_READDIR64
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

I ran the --init/--check with the default config originally, get the
same output. I then tried "-selinux" on the options that included
"+selinux" just for the hell of it. I don't know if that's ok or not.
--check-config doesn't burp on it though.


My /etc/selinux/config file has SELINUX=disabled in it and always has.

At a loss, but thanks loads for the help and time.

steve



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 05:21 PM
"Jim Perrin"
 
Default aide questions, please

On 4/9/08, Steve Campbell <campbell@cnpapers.com> wrote:

> I ran the --init/--check with the default config originally, get the same
> output. I then tried "-selinux" on the options that included "+selinux" just
> for the hell of it. I don't know if that's ok or not. --check-config doesn't
> burp on it though.

I don't think this is selinux failing so much as a normal grabbing of
file info. Does it do this for all files, or just for the samba
shares?


--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 05:49 PM
Steve Campbell
 
Default aide questions, please

Jim Perrin wrote:

On 4/9/08, Steve Campbell <campbell@cnpapers.com> wrote:



I ran the --init/--check with the default config originally, get the same
output. I then tried "-selinux" on the options that included "+selinux" just
for the hell of it. I don't know if that's ok or not. --check-config doesn't
burp on it though.



I don't think this is selinux failing so much as a normal grabbing of
file info. Does it do this for all files, or just for the samba
shares?



It doesn't check the samba shares at all, if I'm not mistaken. These are
all normal, locally mounted drives on the normal mount points (/, /usr,
home, /var and so forth)


steve

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 07:08 PM
Marc Wiatrowski
 
Default aide questions, please

I think those errors are because selinux is off.



On Wed, 2008-04-09 at 12:12 -0400, Jim Perrin wrote:


On Wed, Apr 9, 2008 at 12:03 PM, Steve Campbell <campbell@cnpapers.com> wrote:
> Thanks Jim,
>
> Believe it or not, that's what I started out with.
>
> After running the entire --init/--check scenario again, I see in the log
> files and the output, that all files get this message, and a normal output
> of what should be there showing changed and unchanged files appear at the
> bottom of the log. So what is this "lgetfilecon_raw failed for" showing up
> for each file saying to me? Is it a verbosity setting, or something like
> that?

Mostly it's telling you that it can't get all the information about
the files it's checking. Are you doing this as root? Are you certain
that selinux is off? Have you modified any of the mount parameters
with noexec or anything else?






_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 07:19 PM
"Jim Perrin"
 
Default aide questions, please

On Wed, Apr 9, 2008 at 3:08 PM, Marc Wiatrowski <mwia@iglass.net> wrote:
>
> I think those errors are because selinux is off.

Hmm, I don't ever really turn selinux off, but I had always thought
aide treated it as optional.

Could test by setting it to permissive and trying again. This would be
interesting to test.

--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-09-2008, 07:44 PM
Steve Campbell
 
Default aide questions, please

Jim Perrin wrote:

On Wed, Apr 9, 2008 at 3:08 PM, Marc Wiatrowski <mwia@iglass.net> wrote:


I think those errors are because selinux is off.



Hmm, I don't ever really turn selinux off, but I had always thought
aide treated it as optional.

Could test by setting it to permissive and trying again. This would be
interesting to test.


I'm not sure if a reboot is required or not. I set permissive in the
config file and echoed 1 into /selinux/enforce and then tried firstly
the --check, and then an --init. Both still show the faulty lines.


I will set it up properly and do a reboot tomorrow to see if it changes
things, but for now, it doesn't.


steve

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 02:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org