LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-29-2012, 08:18 PM   #1
reberly337
LQ Newbie
 
Registered: Nov 2012
Posts: 1

Rep: Reputation: Disabled
audit.log question


I'm having a problem completely understanding some audit.log messages I've been seeing. There are several thousand messages being generated per minute from my user account (ldap) and from the root account. The messages are open system calls that are resulting in failures. Since this activity is on another network I'll do my best to summarize what I'm seeing:

type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=no exit=-13

**the ppid and pid keeps changing
**the auid is either "0" or "10481", which is my ldap account
**the uid, gid, euid, suid, fsuid, egid, sgid, and fsgid are all the same "group" id. ses=103575 comm="mysql" exe="/usr/bin/mysql"
type=CWD msg=audit(1234874638.599:5207): cwd=
type=PATH msg=audit(1234874638.599:5207): item=0 name="/etc/host.conf"

So basically it looks like my user account and the root account are the culprits. It appears that I attempted to log in to mysql, but it failed (as evidenced by the passing of the /etc/host.conf file to mysql) because I used the wrong credentials. What I don't understand is why thousands of logs are being generated. I ran ps -ef looking for mysql or a script of some sorts, but found nothing. I checked crontab and crond, but couldn't find anything that I nor root would be running that would cause this. Besides, how in the world would thousands of login attempts to mysql be made per minute? I also ran some lsof commands to try and find any mysql libraries that were open. I even looked at all ssh connections from other nodes on the network from my account but all I could find was my current connection.

I'm not sure how to kill this thing, especially since the pid and ppid keeps changing. Is there anyway to leverage the use of the "ses" (session ID) to track this thing down and stop it? Is there something else I could try?

I hope someone can help me out!

-Ryan
 
Old 11-30-2012, 08:01 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858
Quote:
Originally Posted by reberly337 View Post
The messages are open system calls that are resulting in failures (..):

type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=no exit=-13
'ausyscall 2' says it's the fork system call as in 'man fork'.


Quote:
Originally Posted by reberly337 View Post
Is there anyway to leverage the use of the "ses" (session ID) to track this thing down (..)
Well 'ausearch' has a "--session" switch. Make sure to limit the search with "-ts" a specific start time like "14:30:00" or "today" or see the manual.


Quote:
Originally Posted by reberly337 View Post
I'm not sure how to kill this thing, especially since the pid and ppid keeps changing.
First check if /etc/host.conf has the appropriate ownership and access rights, because MySQL may use /etc/host.conf to determine if it should read /etc/hosts. If all is OK then 'sudo auditctl -l|grep "syscall.*fork";') should show which rules are loaded that monitor syscalls, or else see /etc/audit/audit.rules, then determine if regulations require you to have that rule (other than that it's always good to check rule sets performance-wise) then determine (implications mostly) if it's allowed to either 0) add an exclusion rule, or 1) modify the syscalls it monitors or 2) if its allowed to add an exclusion for the original UID (auid).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Logrotate - what is rotating /var/log/audit/audit.log? veeruk101 Linux - Newbie 3 11-03-2011 07:53 PM
[SOLVED] Audit Log k_balaa Linux - Newbie 4 04-29-2011 11:02 PM
[Linux Audit]: Which groups should be allowed to read audit log files? quanba Linux - Security 1 11-15-2010 10:09 AM
audit log rotation jnojr Linux - Security 4 06-02-2009 11:08 AM
Audit Log in AIX? DriveMeCrazy AIX 5 05-16-2004 03:37 PM


All times are GMT -5. The time now is 09:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration