Steve, This machine is on Marine Corp network and is undergoing DISA RHEL 5 STIG. We have a software package called CAARS which is simply an "After Action Review" suite of software. The CAARS grabs events from the simulation, audio, and a host of other items to enable the soldier to quickly put together an after action review with his troops to review the just completed training scenario.
CAARS has a mysql database. Post STIG I received a bug notice from OnTIME which said the /var/log/messages file is filling up fast. After a qiuck review, I noticed the log entry posted in this email chain. How did you "interpret" the log setting to retreive the syscall "sched_setparam"? Anyhow I am not sure why we want this, I have no idea what the sched_setparam actually does. Did you do a lookup on the mysql syscall number? Again, I always appreciate your assistance. V/R Derek Derek Warner – CISSP-ISSEP Information System Security Engineer Riptide Software w- 321-296-0068 x 136 c- 407-716-9223 derek.war...@riptidesoftware.com derek.a.war...@us.army.mil On Mon, Dec 9, 2013 at 9:32 AM, Steve Grubb <sgr...@redhat.com> wrote: > On Friday, December 06, 2013 03:34:27 PM Derek Warner wrote: > > ALCON, > > > > We have a Centos machine running Centos 6 and it uses mysql. When a > > standard user operates the system, our /var/log/messages gets filled up > > with around 2gb of audit data rather quickly. Here is the audit. > > > > Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL > > msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no > > exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518 > > pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496 > > egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld" > > exe="/usr/libexec/mysqld" key=(null) > > People can more easily help if this were interpreted. It yields this: > > node=aaa-bbb.ccc.ddd.eee type=SYSCALL msg=audit(12/06/2013 > 15:22:11.932:3572423) : arch=x86_64 syscall=sched_setparam success=no > exit=-22(Invalid argument) a0=0x1f46 a1=0x7f5e6357e290 a2=0xd3b6f8 > a3=0x1f68 > items=0 ppid=2518 pid=8006 auid=unset uid=avahi gid=avahi euid=avahi > suid=avahi fsuid=avahi egid=avahi sgid=avahi fsgid=avahi tty=(none) > ses=unset > comm=mysqld key=(null) > > > > I have tried the following: > > > > -a exit,never -F path=/usr/libexec/mysqld > > This only stops events that supply a path as an argument. > > > > When using "-F" I noticed in one RHEL forum someone used -F exe= > > > > However in CENTOS exe is not a recognized field when using -F > > True. You can look at the auditctl man page to see what is supported. > > > > We do not wish to audit this data, can someone please help me exclude the > > audit? > > What this is saying is that mysql is calling sched_setparam and getting > EINVAL. I have to ask why you would want this? You also don't set a key for > the event which makes later analysis more difficult. You could re-write > the rule > as follows: > > -a always,exit -F arch=b64 -S sched_setparam -F exit!=-EINVAL > > > But this looks vaguely familiar... > http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf > > On page 12 I explain what's wrong with mysqld's code. > > -Steve >
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit