I'm having a problem completely understanding some audit.log messages I've been seeing. There are several thousand messages being generated per minute from my user account (ldap) and from the root account. The messages are open system calls that are resulting in failures. Since this activity is on another network I'll do my best to summarize what I'm seeing:

type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=no exit=-13

**the ppid and pid keeps changing
**the auid is either "0" or "10481", which is my ldap account
**the uid, gid, euid, suid, fsuid, egid, sgid, and fsgid are all the same "group" id. ses=103575 comm="mysql" exe="/usr/bin/mysql"
type=CWD msg=audit(1234874638.599:5207): cwd=
type=PATH msg=audit(1234874638.599:5207): item=0 name="/etc/host.conf"

So basically it looks like my user account and the root account are the culprits. It appears that I attempted to log in to mysql, but it failed (as evidenced by the passing of the /etc/host.conf file to mysql) because I used the wrong credentials. What I don't understand is why thousands of logs are being generated. I ran ps -ef looking for mysql or a script of some sorts, but found nothing. I checked crontab and crond, but couldn't find anything that I nor root would be running that would cause this. Besides, how in the world would thousands of login attempts to mysql be made per minute? I also ran some lsof commands to try and find any mysql libraries that were open. I even looked at all ssh connections from other nodes on the network from my account but all I could find was my current connection.

I'm not sure how to kill this thing, especially since the pid and ppid keeps changing. Is there anyway to leverage the use of the "ses" (session ID) to track this thing down and stop it? Is there something else I could try?

I hope someone can help me out!

-Ryan

'ausyscall 2' says it's the fork system call as in 'man fork'.


Well 'ausearch' has a "--session" switch. Make sure to limit the search with "-ts" a specific start time like "14:30:00" or "today" or see the manual.


First check if /etc/host.conf has the appropriate ownership and access rights, because MySQL may use /etc/host.conf to determine if it should read /etc/hosts. If all is OK then 'sudo auditctl -l|grep "syscall.*fork";') should show which rules are loaded that monitor syscalls, or else see /etc/audit/audit.rules, then determine if regulations require you to have that rule (other than that it's always good to check rule sets performance-wise) then determine (implications mostly) if it's allowed to either 0) add an exclusion rule, or 1) modify the syscalls it monitors or 2) if its allowed to add an exclusion for the original UID (auid).