FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-08-2009, 02:04 PM
"Zaina AFOULKI"
 
Default Sample logs of alert types

Hello,

We are trying to develop a graphical interface for SELinux alerts...
We noticed that each log for a specific alert is different from the one of
other types. For example:

type=AVC msg=audit(12/03/2007 12:44:48.301:140) : avc: denied { getattr
} for pid=2816 comm=vi path=/root/xorg.conf.new dev=sda1 ino=131104
scontext=staff_u:staff_r:staff_sudo_t:s0
tcontext=rootbject_r:sysadm_home_t:s0 tclass=file


type=SYSCALL msg=audit(12/03/2007 12:44:48.325:141) : arch=i386
syscall=access success=yes exit=0 a0=88caaa8 a1=2 a2=1a4 a3=1 items=0
ppid=2784 pid=2816 auid=gmarzot uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=vi exe=/bin/vi
subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)

Currently we know how the log looks like for the following types:
DAEMON_START ANOM_ABEND AVC CONFIG_CHANGE CRED_ACQ CRED_DISP DAEMON_END
LOGIN MAC_STATUS SELINUX_ERR SYSCALL SYSTEM_RUNLEVEL SYSTEM_SHUTDOWN
USER_ACCT USER_AUTH USER_AVC USER_CHAUTHTOK USER_CMD USER_END USER_ERR
USER_LOGIN USER_ROLE_CHANGE USER_START

We really need to know the look of each alert in the log file.
Is there a way we can get a sample of each log type?
Your help will be greatly appreciated.

Thanks in advance,


--
Zaina AFOULKI
Étudiante à l'Ecole Nationale Supérieure d'Ingénieurs de Bourges.
1ère année Sécurité et Technologies Informatiques

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-08-2009, 02:32 PM
John Dennis
 
Default Sample logs of alert types

On 12/08/2009 10:04 AM, Zaina AFOULKI wrote:

Hello,

We are trying to develop a graphical interface for SELinux alerts...
We noticed that each log for a specific alert is different from the one of
other types. For example:

type=AVC msg=audit(12/03/2007 12:44:48.301:140) : avc: denied { getattr
} for pid=2816 comm=vi path=/root/xorg.conf.new dev=sda1 ino=131104
scontext=staff_u:staff_r:staff_sudo_t:s0
tcontext=rootbject_r:sysadm_home_t:s0 tclass=file


type=SYSCALL msg=audit(12/03/2007 12:44:48.325:141) : arch=i386
syscall=access success=yes exit=0 a0=88caaa8 a1=2 a2=1a4 a3=1 items=0
ppid=2784 pid=2816 auid=gmarzot uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=vi exe=/bin/vi
subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)

Currently we know how the log looks like for the following types:
DAEMON_START ANOM_ABEND AVC CONFIG_CHANGE CRED_ACQ CRED_DISP DAEMON_END
LOGIN MAC_STATUS SELINUX_ERR SYSCALL SYSTEM_RUNLEVEL SYSTEM_SHUTDOWN
USER_ACCT USER_AUTH USER_AVC USER_CHAUTHTOK USER_CMD USER_END USER_ERR
USER_LOGIN USER_ROLE_CHANGE USER_START

We really need to know the look of each alert in the log file.
Is there a way we can get a sample of each log type?
Your help will be greatly appreciated.

Thanks in advance,




No, there is no such library of every possible AVC message. The problem
is further compounded by the following issues:


* it depends on the kernel version

* messages are not emitted atomically or sequentially by the audit
system, by this I mean all the information concerning a given AVC
arrives as a collection of audit messages which must be reassembled by
matching the audit ID associated with each message, that constitutes an
"event" as opposed to individual messages.


* parsing of the audit messages should be done with auparse as there are
some odd behaviors with certain fields which auparse compensates for, in
particular string values. The last time I checked, which was over a year
ago, auparse did not assemble non-sequential messages into events.


setroubleshoot has addressed many of these issues and provides a GUI,
are you aware of that?


--
John Dennis <jdennis@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org