SELinux : Search Logs2021/03/02 |
|
Access OK or Deny decisions by SELinux are cached once and Denial Accesses are sent to Log files.
Cache of SELinux is called AVC (Access Vector Cache) and Denial Accesses are called [AVC Denials].
AVC Denial Log is generated via Systemd Journald or Audit Service, so it needs either of service is running.
If Rsyslog Service is running (enabled by default), logs are also put on [/var/log/messages]. |
|
| [1] | When Audit service is disabled and Systemd Journald or Rsyslog service is enabled, AVC Denial Logs are recorded to Journald or [/var/log/messages]. |
|
[root@dlp ~]# journalctl -t setroubleshoot -- Logs begin at Thu 2021-02-25 11:45:47 JST, end at Thu 2021-02-25 14:01:01 JS> Feb 24 21:46:02 dlp.srv.world setroubleshoot[1505]: AnalyzeThread.run(): Cancel> Feb 24 21:46:02 dlp.srv.world setroubleshoot[1505]: failed to retrieve rpm info> Feb 24 21:46:04 dlp.srv.world setroubleshoot[1505]: SELinux is preventing /usr/> Feb 24 21:46:04 dlp.srv.world setroubleshoot[1505]: SELinux is preventing /usr/> ..... .....[root@dlp ~]# grep "avc: .denied" /var/log/messages
Feb 24 23:55:25 dlp kernel: audit: type=1400 audit(1614228925.779:193): avc: denied { name_bind } for pid=4218 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
Feb 24 23:55:25 dlp kernel: audit: type=1400 audit(1614228925.779:194): avc: denied { name_bind } for pid=4218 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
.....
.....
|
| [2] | When Audit service is enabled, AVC Denial Logs are recorded to [/var/log/audit/audit.log]. |
|
[root@dlp ~]# grep "avc: .denied" /var/log/audit/audit.log
type=AVC msg=audit(1614228758.984:188): avc: denied { name_bind } for pid=4156 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1614229469.795:202): avc: denied { name_bind } for pid=4312 comm="httpd" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1614229469.795:203): avc: denied { name_bind } for pid=4312 comm="httpd" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
.....
.....
|
| [3] | For Messages via Auditd, it's possible to search them with [ausearch] command. |
|
[root@dlp ~]# ausearch -m AVC
----
time->Thu Feb 24 19:04:29 2021
type=PROCTITLE msg=audit(1614229469.795:202): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1614229469.795:202): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=559bea673980 a2=1c a3=7fff6381dd2c items=0 ppid=1 pid=4312 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1614229469.795:202): avc: denied { name_bind } for pid=4312 comm="httpd" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
----
time->Thu Feb 24 19:04:29 2021
type=PROCTITLE msg=audit(1614229469.795:203): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1614229469.795:203): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=559bea6738c0 a2=10 a3=7fff6381dd1c items=0 ppid=1 pid=4312 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1614229469.795:203): avc: denied { name_bind } for pid=4312 comm="httpd" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
.....
.....
|
| [4] | For Messages via Auditd, it's possible to show summary reports with [aureport] command. |
|
[root@dlp ~]# aureport --avc AVC Report =============================================================== # date time comm subj syscall class permission obj result event =============================================================== 1. 02/24/2021 14:26:00 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 71 2. 02/24/2021 14:26:21 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 74 3. 02/24/2021 14:33:46 login system_u:system_r:local_login_t:s0-s0:c0.c1023 137 filesystem getattr system_u:object_r:tmpfs_t:s0 denied 75 4. 02/24/2021 15:27:51 login system_u:system_r:local_login_t:s0-s0:c0.c1023 137 filesystem getattr system_u:object_r:tmpfs_t:s0 denied 78 5. 02/25/2021 11:44:59 login system_u:system_r:local_login_t:s0-s0:c0.c1023 137 filesystem getattr system_u:object_r:tmpfs_t:s0 denied 80 ..... ..... 15. 03/02/2021 15:00:53 login system_u:system_r:local_login_t:s0-s0:c0.c1023 137 filesystem getattr system_u:object_r:tmpfs_t:s0 denied 76 16. 03/02/2021 15:01:01 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:reserved_port_t:s0 denied 93 17. 03/02/2021 15:01:01 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:reserved_port_t:s0 denied 94 |
| Sponsored Link |