Quote:
Originally Posted by *******
So you didn't put in rules for each file in /boot?
|
I really need to read more about selinux. Ok, here's the adjustment:
for i in `find /boot`; do
> auditctl -w $i
> done
And the outcome is similar to the 'auditctl -w /boot,' two extra lines shown like the following:
Code:
host=www.domain.com type=CWD msg=audit(1240464939.807:65243): cwd="/var/www/domain.com/bbs"
host=www.domain.com type=PATH msg=audit(1240464939.807:65243): item=0 name="/boot" inode=2 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:boot_t:s0
Quote:
Normal? Why should a process be allowed to access /boot? A BBS (as in a publicly accessable service) has in my opinion no business where the kernel and related files reside.
|
Well, I agree with you, that's why I'd like to dig the real cause of the alert.
The meant of normal is compared to the past. The BBS application had been compromised due to its lossy configuration by another team. So did another CMS web application hosted on the same server. During those accidents, trojans were injected and we pinpointed the back door php scripts by tracing the httpd and sealert log and comparing the checksum of all. The '/boot' selaert was also triggered then by some of those malwares. And thanks to the selinux, there's no further harm observed to the underlying OS. But this time everything is quiet. No whistle blown from the team, and no complain from users. And we still don't know why there's no trace left in the httpd log so we can duplicate the alert.
We've also done the package integrity check by a rpm -Va. There's quite a few interesting thing from the result:
S.5..... /usr/lib64/libpanel.so.5.5
S.5....T /usr/bin/gnomevfs-df
S.5....T /usr/bin/gnomevfs-info
S.5....T /usr/bin/gnomevfs-ls
S.5....T /usr/bin/gnomevfs-mkdir
S.5....T /usr/bin/gnomevfs-monitor
S.5....T /usr/bin/gnomevfs-mv
S.5....T /usr/bin/gnomevfs-rm
S.5....T /sbin/sln
S.5..... /usr/lib64/libpq.so.4.1
S.5....T /sbin/dmsetup
S.5....T /usr/bin/gnome-audio-profiles-properties
S.5....T /usr/bin/gstreamer-properties
S.5....T /usr/bin/gnome-pilot-make-password
S.5....T /usr/bin/gpilot-install-file
S.5....T /usr/bin/gpilotd-session-wrapper
S.5....T /bin/dbus-daemon
S.5....T /bin/dbus-monitor
S.5....T /bin/dbus-send
S.5....T /bin/dbus-uuidgen
S.5....T /sbin/grubby
S.5..... /usr/lib64/libnl.so.1.0-pre5
S.5....T /sbin/parted
S.5....T /sbin/partprobe
S.5....T /usr/bin/dbus-binding-tool
Most of the discrepancies are introduced by the correspondent i[36]86 version of the same package. For example:
rpm -qf --qf '%{name}-%{version}-%{release}.%{arch}.rpm\n' /usr/bin/gnomevfs-rm
gnome-vfs2-2.16.2-4.el5.i386.rpm
gnome-vfs2-2.16.2-4.el5.x86_64.rpm
md5sum /usr/bin/gnomevfs-rm
d825d8faa83132773ade6256f9744f67 /usr/bin/gnomevfs-rm
The checksum agrees with the official x86_64 one. Don't know why the rpm test listing the i386 ones here.
There do have three files whose md5sum can't match the official ones:
/usr/lib64/libpanel.so.5.5
/usr/lib64/libpq.so.4.1
/usr/lib64/libnl.so.1.0-pre5
It turned out the prelink is the culprit. After a prelink -u, they all match. So, all binaries passes the integrity test at least from the package management prospective.
Any suggestion?
Thanks in advance!