Support for security such as Firewalls and securing linux
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/10/24 20:19:15
Hello,
What does this log mean?
Code: Select all
$ tail /var/log/audit/audit.log
type=AVC msg=audit(1599494068.584:19786): avc: denied { name_connect } for pid=504776 comm="php-fpm" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=SERVICE_START msg=audit(1599494106.326:19787): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmlogger_check comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1599494106.326:19788): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmlogger_check comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1599494130.872:19789): avc: denied { name_connect } for pid=441891 comm="php-fpm" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=SERVICE_START msg=audit(1599494281.581:19790): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmie_check comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1599494281.581:19791): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmie_check comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1599494401.340:19792): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1599494401.340:19793): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1599494401.446:19794): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmlogger_daily-poll comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1599494401.447:19795): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pmlogger_daily-poll comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
Thank you.
-
jlehtone
- Posts: 4530
- Joined: 2007/12/11 08:17:33
- Location: Finland
Post
by jlehtone » 2020/10/24 22:43:29
audit2why - Translates SELinux audit messages into a description of why the access was denied
Code: Select all
tail /var/log/audit/audit.log | /usr/sbin/audit2why
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/10/25 14:00:35
jlehtone wrote: ↑2020/10/24 22:43:29
audit2why - Translates SELinux audit messages into a description of why the access was denied
Code: Select all
tail /var/log/audit/audit.log | /usr/sbin/audit2why
It show me:
Code: Select all
# tail /var/log/audit/audit.log | /usr/sbin/audit2why
bash: /usr/sbin/audit2why: No such file or directory
# yum install audit2why
Last metadata expiration check: 1:43:30 ago on Sun 25 Oct 2020 03:45:10 PM +0330.
No match for argument: audit2why
Error: Unable to find a match: audit2why
-
jlehtone
- Posts: 4530
- Joined: 2007/12/11 08:17:33
- Location: Finland
Post
by jlehtone » 2020/10/25 16:19:42
When you don't know which package does provide a file, then you can ask with dnf:
-
TrevorH
- Site Admin
- Posts: 33218
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2020/10/25 16:26:01
or even yum install /usr/sbin/audit2why
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/10/25 16:50:56
jlehtone wrote: ↑2020/10/25 16:19:42
When you don't know which package does provide a file, then you can ask with dnf:
Thank you for that command.
I did below steps:
Code: Select all
# whereis audit2why
audit2why: /usr/bin/audit2why /usr/share/man/man1/audit2why.1.gz
# tail /var/log/audit/audit.log | /usr/bin/audit2why
Nothing to do
What does "Nothing to do" mean?
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/10/25 16:51:18
TrevorH wrote: ↑2020/10/25 16:26:01
or even
yum install /usr/sbin/audit2why
Code: Select all
# yum install /usr/sbin/audit2why
Last metadata expiration check: 1:32:40 ago on Sun 25 Oct 2020 06:45:33 PM +0330.
No match for argument: /usr/sbin/audit2why
Error: Unable to find a match: /usr/sbin/audit2why
-
TrevorH
- Site Admin
- Posts: 33218
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2020/10/25 17:24:03
If you ran the yum provides command then it would have told you that the file is /usr/bin/audit2why not sbin.
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/10/25 18:13:04
TrevorH wrote: ↑2020/10/25 17:24:03
If you ran the yum provides command then it would have told you that the file is /usr/bin/audit2why not sbin.
Thank you.
What does "Nothing to do" mean?
-
TrevorH
- Site Admin
- Posts: 33218
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2020/10/25 18:26:17
It means that tail -f /var/log/audit/audit.log doesn't produce any output that audit2why is interested in. Perhaps you meant to grep it for avc not tail?