Page 1 of 1

sealert -a hangs somewhere between 9% and 80%

Posted: 2020/12/19 00:20:55
by oceanjeremy
I run this command:

Code: Select all

~]# sealert -a /var/log/audit/audit.log
It audits to anywhere between 9% and 80% then just freezes.

I open another terminal window and ssh in, then I run top and it shows it as super resource intensive:

Code: Select all

   PID  USER    PR   NI   VIRT      RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                      
   1984 root    20   0  404900   142280  24056 R  87.7   7.6   6:31.09 sealert 
The only way out is to run kill [PID#] in the second terminal window. But I don't get any output.

I'm pretty sure SELinux is blocking something I need to reconfigure, but I have no way to find out if I'm right because sealert just isn't working.

But even if SELinux isn't causing my other problem, I still need to fix sealert.

Any ideas?

Re: sealert -a hangs somewhere between 9% and 80%

Posted: 2020/12/19 00:37:54
by oceanjeremy
Update: I let the process run while I was typing the above post and it went from 12% to 27%.

I'm used to sealert -a finishing up in less than a minute, but that's when I was setting up my first website on this server.

So I think to myself, "This must be an issue with the volume of my audit log!"

So I checked out the contents of /var/log/audit/ and it looks like this:

Code: Select all

 root@myserver audit]# ll -h
total 35M
-rw-------. 1 root root 2.2M Dec 18 19:28 audit.log
-r--------. 1 root root 8.1M Dec 18 18:54 audit.log.1
-r--------. 1 root root 8.1M Dec 18 15:24 audit.log.2
-r--------. 1 root root 8.1M Dec 18 10:35 audit.log.3
-r--------. 1 root root 8.1M Dec 18 08:43 audit.log.4
So I'm filling up an 8.1M audit log every three to five hours. One of them filled up in a little over 30 minutes.

I also noticed that audit.log grew by 0.4M while I was poking around and typing this. So I think "Maybe it's going so slow because the file it's trying to analyze is changing realtime?" I killed the sealert process and tried running an audit of audit.log.1 — this time it froze at 83%.

Is this normal? For audit logs to get that big, that quickly?

Should it be taking this long for sealert to analyze them?

[SOLVED] sealert -a hangs somewhere between 9% and 80%

Posted: 2021/01/24 21:49:14
by oceanjeremy
Hey, just a follow up: I let it go for a few hours and it worked just fine.

Subsequent runs of this command have gone significantly more quickly.

I guess my suggestion is to run "sealert -a /var/log/audit/audit.log" every month or so and fix any sealert contexts that appear to be wrong.

I mean, of course, unless you see activity that SELinux is blocking that should be blocked. In which case you gotta take security actions.