python and audit

keith2045 · 11-18-2011, 04:14 PM

Hello all,

So i've setup auditing on a my system for any syscalls for any opens that fail (-a exit,always -F arch=b64 -S open -F success=0) and noticed that python is very noisy.

Maybe i'm not reading the log correctly, but comm=yum-updatesd-he exe=/usr/bin/python tells me that python is trying to run yum-updatesd? I've found a few other lines that have python as the exe but different comm values. But each line says that it's trying to open a file that doesnt exist. What is python doing? Can i change it?

unSpawn · 11-19-2011, 05:08 AM

Quote:

Originally Posted by keith2045

So i've setup auditing on a my system for any syscalls for any opens that fail (-a exit,always -F arch=b64 -S open -F success=0) and noticed that python is very noisy. Maybe i'm not reading the log correctly, but comm=yum-updatesd-he exe=/usr/bin/python tells me that python is trying to run yum-updatesd? I've found a few other lines that have python as the exe but different comm values. But each line says that it's trying to open a file that doesnt exist. What is python doing? Can i change it?

Well, you explicitly watch failed opens so that's what you get. If it doesn't go against requirements why not try exclusion? Maybe something like "-F path!=/usr/bin/python"?

keith2045 · 11-19-2011, 08:00 AM

True, but i'm just curious of why it's generating a lot of failed open attempts.

unSpawn · 11-19-2011, 10:09 AM

Quote:

Originally Posted by keith2045

i'm just curious of why it's generating a lot of failed open attempts.

If you would strace them you'd see almost all processes do that due to dynamic linking with shared libraries: 'man ld.so; man ld' to start.