Re: Sample logs of alert types

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/08/2009 10:04 AM, Zaina AFOULKI wrote:

Hello,

We are trying to develop a graphical interface for SELinux alerts...
We noticed that each log for a specific alert is different from the one of
other types. For example:

type=AVC msg=audit(12/03/2007 12:44:48.301:140) : avc:  denied  { getattr
} for  pid=2816 comm=vi path=/root/xorg.conf.new dev=sda1 ino=131104
scontext=staff_u:staff_r:staff_sudo_t:s0
tcontext=root:object_r:sysadm_home_t:s0 tclass=file


type=SYSCALL msg=audit(12/03/2007 12:44:48.325:141) : arch=i386
syscall=access success=yes exit=0 a0=88caaa8 a1=2 a2=1a4 a3=1 items=0
ppid=2784 pid=2816 auid=gmarzot uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=vi exe=/bin/vi
subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)

Currently we know how the log looks like for the following types:
DAEMON_START  ANOM_ABEND AVC CONFIG_CHANGE CRED_ACQ CRED_DISP DAEMON_END
LOGIN MAC_STATUS SELINUX_ERR SYSCALL SYSTEM_RUNLEVEL SYSTEM_SHUTDOWN
USER_ACCT USER_AUTH USER_AVC USER_CHAUTHTOK USER_CMD USER_END USER_ERR
USER_LOGIN USER_ROLE_CHANGE USER_START

We really need to know the look of each alert in the log file.
Is there a way we can get a sample of each log type?
Your help will be greatly appreciated.

Thanks in advance,
No, there is no such library of every possible AVC message. The problem is further compounded by the following issues: 

* it depends on the kernel version
* messages are not emitted atomically or sequentially by the audit system, by this I mean all the information concerning a given AVC arrives as a collection of audit messages which must be reassembled by matching the audit ID associated with each message, that constitutes an "event" as opposed to individual messages.
* parsing of the audit messages should be done with auparse as there are some odd behaviors with certain fields which auparse compensates for, in particular string values. The last time I checked, which was over a year ago, auparse did not assemble non-sequential messages into events.
setroubleshoot has addressed many of these issues and provides a GUI, are you aware of that? 

--
John Dennis <jdennis@xxxxxxxxxx>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux