CentOS 8
Sponsored Link

SELinux : Search Logs2019/09/28

 
Access OK or Deny decisions by SELinux are cached once and Denial Accesses are sent to Log files.
Cache of SELinux is called AVC (Access Vector Cache) and Denial Accesses are called [AVC Denials].
AVC Denial Log is generated via Rsyslog Service or Audit Service, so it needs either of service is running.
[1] When Audit service is disabled and Rsyslog service is enabled, AVC Denial Logs are recorded to [/var/log/messages].
[root@dlp ~]#
grep "avc: .denied" /var/log/messages

Sep 26 19:49:38 dlp kernel: audit: type=1400 audit(1569563378.951:4): avc:  denied  { name_bind } for  pid=1326 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
Sep 26 19:49:38 dlp kernel: audit: type=1400 audit(1569563378.951:5): avc:  denied  { name_bind } for  pid=1326 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
[2] When Audit service is enabled, AVC Denial Logs are recorded to [/var/log/audit/audit.log].
[root@dlp ~]#
grep "avc: .denied" /var/log/audit/audit.log

type=AVC msg=audit(1569562236.212:158): avc:  denied  { name_bind } for  pid=28610 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1569562236.213:159): avc:  denied  { name_bind } for  pid=28610 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1569563212.919:163): avc:  denied  { name_bind } for  pid=28675 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1569563212.919:164): avc:  denied  { name_bind } for  pid=28675 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
[3] For Messages via Auditd, it's possible to search them with [ausearch] command.
[root@dlp ~]#
ausearch -m AVC

----
time->Fri Sep 26 18:46:52 2019
type=PROCTITLE msg=audit(1569563212.919:164): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1569563212.919:164): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=55ea69d01280 a2=10 a3=7ffe36d31c0c items=0 ppid=1 pid=28675 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1569563212.919:164): avc:  denied  { name_bind } for  pid=28675 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
----
time->Fri Sep 26 19:33:21 2019
type=PROCTITLE msg=audit(1569566001.330:125): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1569566001.330:125): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=55c2cdde7340 a2=1c a3=7ffc3e9c10ec items=0 ppid=1 pid=1790 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1569566001.330:125): avc:  denied  { name_bind } for  pid=1790 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
----
time->Fri Sep 26 19:33:21 2019
type=PROCTITLE msg=audit(1569566001.331:126): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1569566001.331:126): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=55c2cdde7280 a2=10 a3=7ffc3e9c10dc items=0 ppid=1 pid=1790 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1569566001.331:126): avc:  denied  { name_bind } for  pid=1790 comm="httpd" src=83 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
[4] For Messages via Auditd, it's possible to show summary reports with [aureport] command.
[root@dlp ~]#
aureport --avc


AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 09/26/2019 02:43:13 ? (null) 0 (null) (null) (null) unset 104
2. 09/26/2019 02:43:16 ? (null) 0 (null) (null) (null) unset 105
3. 09/26/2019 02:58:09 ? (null) 0 (null) (null) (null) unset 111
4. 09/26/2019 02:58:09 ? (null) 0 (null) (null) (null) unset 112
5. 09/26/2019 04:12:17 ? (null) 0 (null) (null) (null) unset 141
.....
.....
15. 09/27/2019 19:48:50 ? (null) 0 (null) (null) (null) unset 191
16. 09/27/2019 19:48:50 ? (null) 0 (null) (null) (null) unset 192
17. 09/27/2019 20:33:21 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:reserved_port_t:s0 denied 125
18. 09/27/2019 20:33:21 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:reserved_port_t:s0 denied 126
Matched Content