Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm having a problem completely understanding some audit.log messages I've been seeing. There are several thousand messages being generated per minute from my user account (ldap) and from the root account. The messages are open system calls that are resulting in failures. Since this activity is on another network I'll do my best to summarize what I'm seeing:
**the ppid and pid keeps changing
**the auid is either "0" or "10481", which is my ldap account
**the uid, gid, euid, suid, fsuid, egid, sgid, and fsgid are all the same "group" id. ses=103575 comm="mysql" exe="/usr/bin/mysql"
type=CWD msg=audit(1234874638.599:5207): cwd=
type=PATH msg=audit(1234874638.599:5207): item=0 name="/etc/host.conf"
So basically it looks like my user account and the root account are the culprits. It appears that I attempted to log in to mysql, but it failed (as evidenced by the passing of the /etc/host.conf file to mysql) because I used the wrong credentials. What I don't understand is why thousands of logs are being generated. I ran ps -ef looking for mysql or a script of some sorts, but found nothing. I checked crontab and crond, but couldn't find anything that I nor root would be running that would cause this. Besides, how in the world would thousands of login attempts to mysql be made per minute? I also ran some lsof commands to try and find any mysql libraries that were open. I even looked at all ssh connections from other nodes on the network from my account but all I could find was my current connection.
I'm not sure how to kill this thing, especially since the pid and ppid keeps changing. Is there anyway to leverage the use of the "ses" (session ID) to track this thing down and stop it? Is there something else I could try?
'ausyscall 2' says it's the fork system call as in 'man fork'.
Quote:
Originally Posted by reberly337
Is there anyway to leverage the use of the "ses" (session ID) to track this thing down (..)
Well 'ausearch' has a "--session" switch. Make sure to limit the search with "-ts" a specific start time like "14:30:00" or "today" or see the manual.
Quote:
Originally Posted by reberly337
I'm not sure how to kill this thing, especially since the pid and ppid keeps changing.
First check if /etc/host.conf has the appropriate ownership and access rights, because MySQL may use /etc/host.conf to determine if it should read /etc/hosts. If all is OK then 'sudo auditctl -l|grep "syscall.*fork";') should show which rules are loaded that monitor syscalls, or else see /etc/audit/audit.rules, then determine if regulations require you to have that rule (other than that it's always good to check rule sets performance-wise) then determine (implications mostly) if it's allowed to either 0) add an exclusion rule, or 1) modify the syscalls it monitors or 2) if its allowed to add an exclusion for the original UID (auid).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.