What does this log mean?

Support for security such as Firewalls and securing linux
Post Reply
hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

What does this log mean?

Post by hack3rcon » 2020/10/24 20:19:15

Hello,
What does this log mean?

Code: Select all

$ tail /var/log/audit/audit.log
type=AVC msg=audit(1599494068.584:19786): avc:  denied  { name_connect } for  pid=504776 comm="php-fpm" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=SERVICE_START msg=audit(1599494106.326:19787): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmlogger_check comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1599494106.326:19788): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmlogger_check comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1599494130.872:19789): avc:  denied  { name_connect } for  pid=441891 comm="php-fpm" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=SERVICE_START msg=audit(1599494281.581:19790): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmie_check comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1599494281.581:19791): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmie_check comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1599494401.340:19792): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1599494401.340:19793): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1599494401.446:19794): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmlogger_daily-poll comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1599494401.447:19795): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmlogger_daily-poll comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
Thank you.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: What does this log mean?

Post by jlehtone » 2020/10/24 22:43:29

audit2why - Translates SELinux audit messages into a description of why the access was denied

Code: Select all

tail /var/log/audit/audit.log | /usr/sbin/audit2why

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: What does this log mean?

Post by hack3rcon » 2020/10/25 14:00:35

jlehtone wrote:
2020/10/24 22:43:29
audit2why - Translates SELinux audit messages into a description of why the access was denied

Code: Select all

tail /var/log/audit/audit.log | /usr/sbin/audit2why
It show me:

Code: Select all

# tail /var/log/audit/audit.log | /usr/sbin/audit2why
bash: /usr/sbin/audit2why: No such file or directory

# yum install audit2why
Last metadata expiration check: 1:43:30 ago on Sun 25 Oct 2020 03:45:10 PM +0330.
No match for argument: audit2why
Error: Unable to find a match: audit2why

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: What does this log mean?

Post by jlehtone » 2020/10/25 16:19:42

When you don't know which package does provide a file, then you can ask with dnf:

Code: Select all

sudo dnf provides *bin/audit2why

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: What does this log mean?

Post by TrevorH » 2020/10/25 16:26:01

or even yum install /usr/sbin/audit2why
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: What does this log mean?

Post by hack3rcon » 2020/10/25 16:50:56

jlehtone wrote:
2020/10/25 16:19:42
When you don't know which package does provide a file, then you can ask with dnf:

Code: Select all

sudo dnf provides *bin/audit2why
Thank you for that command.
I did below steps:

Code: Select all

# whereis audit2why 
audit2why: /usr/bin/audit2why /usr/share/man/man1/audit2why.1.gz
# tail /var/log/audit/audit.log | /usr/bin/audit2why
Nothing to do
What does "Nothing to do" mean?

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: What does this log mean?

Post by hack3rcon » 2020/10/25 16:51:18

TrevorH wrote:
2020/10/25 16:26:01
or even yum install /usr/sbin/audit2why

Code: Select all

# yum install /usr/sbin/audit2why
Last metadata expiration check: 1:32:40 ago on Sun 25 Oct 2020 06:45:33 PM +0330.
No match for argument: /usr/sbin/audit2why
Error: Unable to find a match: /usr/sbin/audit2why

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: What does this log mean?

Post by TrevorH » 2020/10/25 17:24:03

If you ran the yum provides command then it would have told you that the file is /usr/bin/audit2why not sbin.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: What does this log mean?

Post by hack3rcon » 2020/10/25 18:13:04

TrevorH wrote:
2020/10/25 17:24:03
If you ran the yum provides command then it would have told you that the file is /usr/bin/audit2why not sbin.
Thank you.
What does "Nothing to do" mean?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: What does this log mean?

Post by TrevorH » 2020/10/25 18:26:17

It means that tail -f /var/log/audit/audit.log doesn't produce any output that audit2why is interested in. Perhaps you meant to grep it for avc not tail?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply