[SOLVED] New entries in /var/log/secure: what changed and is causing them?

tjallen · 12-30-2022, 11:03 AM

Hmmm. One file that changed at the same minute as the su from root is /etc/mtab. I'm still looking for others.

keefaz · 12-30-2022, 12:21 PM

Quote:

Originally Posted by tjallen

Well that didn't take long. keefaz's mods stopped the gkr-pam messages, but not the su by root. I reverted the pam changes so as not to overly worry LuckyCyborg :-). I'm still figuring out how to use auditd. In the meantime, I'm looking at all files that have recently changed.

If you have inotify-tools package installed, you could also use inotifywait on /var/log/secure
A script could be run from /etc/rc.d/rc.local

There is an example in man page

Code:

# man inotifywait
   Example 2
       A short shell script to efficiently wait for httpd-related log messages
       and do something appropriate.

       #!/bin/sh
       while ! inotifywait -e modify /var/log/messages; do
         if tail -n1 /var/log/messages | grep httpd; then
           kdialog --msgbox "Apache needs love!"
         fi
       done

you could grep for ' su ' and if it matches do ' ps axjf > /root/pscapture.txt ' and hopefully see list of processes concerning su at the moment.

tjallen · 12-30-2022, 03:29 PM

Again, /etc/mtab changed at the same minute as the most recent successful su from root. The lines of /etc/mtab that are not in /etc/fstab are

Code:

fusectl /sys/fs/fuse/connections fusectl rw 0 0
gvfsd-fuse /run/user/1000/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,user=user 0 0
portal /run/user/1000/doc fuse.portal rw,nosuid,nodev,user=user 0 0

where again I changed my login name to user. It seems that the root process su-ing to my username is looking to mount filesystems via fuse. Now I need to find it.

brobr · 12-30-2022, 05:19 PM

Have those lines in my /etc/mtab as well (only with one extra portal line for 'user=sddm'; but that's maybe because I start with telinit 4 (not telinit 3 and then 'startx')).
But no '???' in '/var/log/secure'.
Thus /etc/mtab timestamp could be a red herring...
(Note: xfce4-screensaver-dialog calls 'gkr-pam' most of the times at my end)

tjallen · 12-30-2022, 05:20 PM

Quote:

Originally Posted by brobr

Have those lines in my /etc/mtab as well (only with one extra portal line for 'user=sddm'; but that's maybe because I start with telinit 4 (not telinit 3 and then 'startx')), but no '???' in '/var/log/secure'.

Thanks--good to know.

henca · 12-31-2022, 04:57 AM

Quote:

Originally Posted by tjallen

It seems that the root process su-ing to my username is looking to mount filesystems via fuse. Now I need to find it.

My guess would be that the fuse-mounting-thing is some feature from some desktop environment. Maybe it would go away if you switched to some other rather full-featured desktop environment like KDE or XFCE. It would most likely go away if you switched to some less featured window manager like fvwm.

But those are only my guesses, with some audit logging it might be possible to track down exactly what is going on. I did some quick testing to get an easy cookbook recipe:

Code:

/etc/rc.d/rc.auditd start
auditctl -w /bin/su -p x -k test
su henca
exit
auditctl -W /bin/su -p x -k test
ausearch --start recent -k test -m syscall

After starting audit logging of su I did try to su as root to my own username. The interesting lines in the log output looked like this:

Code:

type=EXECVE msg=audit(1672483564.552:4): argc=2 a0="su" a1="henca"
type=SYSCALL msg=audit(1672483564.552:4): arch=c000003e syscall=59 success=yes exit=0 a0=1558f68 a1=1558708 a2=1555008 a3=598 items=2 ppid=28654 pid=29027 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts21 ses=4294967295 comm="su" exe="/bin/su" key="test"

The pid 29027 was the pid of su and that pid was gone after I had exit. However, the ppid process was still the bash process which I was running as root.

Once I had successfully done this test I stopped auditd whith:

Code:

/etc/rc.d/rc.auditd stop

regards Henrik

tjallen · 12-31-2022, 07:56 PM

Thanks, Henrik.

I did find out by looking at my backups that in slackware14.2, /etc/mtab is a regular file, while in 15.0, it seems that it's a soft link to /proc/mounts. Right now I have put the link back and will look to see if the messages stop or not. Curiously, in the slackware64-15.0 package a/etc-15.0-x86_64-17.txz, etc/mtab.new is a regular file.

tjallen · 01-02-2023, 05:21 PM

Update: Whether /etc/mtab is a link or a regular file makes no difference. I managed to find the culprit this afternoon. It turns out that the changes that the SBo package laptop-mode-tools is the cause of the new entries.

Another sporadic message may or may not be related. I got the following yesterday:

Code:

kernel: EXT4-fs (sda1): re-mounted. Opts: stripe=4,commit=0. Quota mode: none.

Thanks everyone for the help. I'm still having to figure out auditd as it may come in handy in the future.