22 SELinux Analyzing logs grep AVC /var/log/audit/audit.log | /var/log/messages | selaert -l ID
setroubleshoot utility is used
[root@localhost tmp]# yum list installed | grep setrou
setroubleshoot.x86_64 3.2.27.2-3.el7 @base
setroubleshoot-plugins.noarch 3.0.64-2.1.el7 @base
setroubleshoot-server.x86_64 3.2.27.2-3.el7 @base
[root@localhost tmp]#
=============================
all logs are stored by auditd
[root@localhost tmp]# systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2017-09-22 12:53:52 EDT; 21h ago
Docs: man:auditd(8)
https://people.redhat.com/sgrubb/audit/
Process: 678 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Main PID: 677 (auditd)
CGroup: /system.slice/auditd.service
├─677 /sbin/auditd -n
├─688 /sbin/audispd
└─690 /usr/sbin/sedispatch
Sep 22 12:53:52 localhost.localdomain systemd[1]: Starting Security Auditing Service...
Sep 22 12:53:52 localhost.localdomain auditd[677]: Started dispatcher: /sbin/audisp...8
Sep 22 12:53:52 localhost.localdomain audispd[688]: priority_boost_parser called wi...4
Sep 22 12:53:52 localhost.localdomain audispd[688]: max_restarts_parser called with: 10
Sep 22 12:53:52 localhost.localdomain audispd[688]: audispd initialized with q_dept...s
Sep 22 12:53:52 localhost.localdomain augenrules[678]: /sbin/augenrules: No change
Sep 22 12:53:52 localhost.localdomain auditd[677]: Init complete, auditd 2.6.5 list...)
Sep 22 12:53:52 localhost.localdomain systemd[1]: Started Security Auditing Service.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost tmp]#
[root@localhost tmp]# cat /var/log/messages | more
Sep 17 11:18:02 localhost rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid
="1021" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Sep 17 11:18:04 localhost systemd: Removed slice user-0.slice.
Sep 17 11:18:04 localhost systemd: Stopping user-0.slice.
===============================
in /var/log/messages there might be sealert logs
in order to see details
sealert -l 6d267f14.......
[root@localhost tmp]# yum list installed | grep setrou
setroubleshoot.x86_64 3.2.27.2-3.el7 @base
setroubleshoot-plugins.noarch 3.0.64-2.1.el7 @base
setroubleshoot-server.x86_64 3.2.27.2-3.el7 @base
[root@localhost tmp]#
=============================
all logs are stored by auditd
[root@localhost tmp]# systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2017-09-22 12:53:52 EDT; 21h ago
Docs: man:auditd(8)
https://people.redhat.com/sgrubb/audit/
Process: 678 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Main PID: 677 (auditd)
CGroup: /system.slice/auditd.service
├─677 /sbin/auditd -n
├─688 /sbin/audispd
└─690 /usr/sbin/sedispatch
Sep 22 12:53:52 localhost.localdomain systemd[1]: Starting Security Auditing Service...
Sep 22 12:53:52 localhost.localdomain auditd[677]: Started dispatcher: /sbin/audisp...8
Sep 22 12:53:52 localhost.localdomain audispd[688]: priority_boost_parser called wi...4
Sep 22 12:53:52 localhost.localdomain audispd[688]: max_restarts_parser called with: 10
Sep 22 12:53:52 localhost.localdomain audispd[688]: audispd initialized with q_dept...s
Sep 22 12:53:52 localhost.localdomain augenrules[678]: /sbin/augenrules: No change
Sep 22 12:53:52 localhost.localdomain auditd[677]: Init complete, auditd 2.6.5 list...)
Sep 22 12:53:52 localhost.localdomain systemd[1]: Started Security Auditing Service.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost tmp]#
===============================
all SELinux logs start with AVC
[root@localhost tmp]# grep AVC /var/log/audit/audit.log
[root@localhost tmp]# cat /var/log/messages | more
Sep 17 11:18:02 localhost rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid
="1021" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Sep 17 11:18:04 localhost systemd: Removed slice user-0.slice.
Sep 17 11:18:04 localhost systemd: Stopping user-0.slice.
Sep 23 10:48:08 localhost dhclient[6933]: DHCPREQUEST on ens33 to 192.168.50.254 port 67 (xid=0xfe338ba)
Sep 23 10:48:08 localhost dhclient[6933]: DHCPACK from 192.168.50.254 (xid=0xfe338ba)
Sep 23 10:48:08 localhost NetworkManager[787]: <info> [1506178088.2612] dhcp4 (ens33): address 192.168.50.131
Sep 23 10:48:08 localhost NetworkManager[787]: <info> [1506178088.2622] dhcp4 (ens33): plen 24 (255.255.255.0)
Sep 23 10:48:08 localhost NetworkManager[787]: <info> [1506178088.2622] dhcp4 (ens33): gateway 192.168.50.2
Sep 23 10:48:08 localhost NetworkManager[787]: <info> [1506178088.2623] dhcp4 (ens33): server identifier 192.168.50.254
Sep 23 10:48:08 localhost NetworkManager[787]: <info> [1506178088.2623] dhcp4 (ens33): lease time 1800
Sep 23 10:48:08 localhost NetworkManager[787]: <info> [1506178088.2623] dhcp4 (ens33): nameserver '192.168.50.2'
Sep 23 10:48:08 localhost NetworkManager[787]: <info> [1506178088.2623] dhcp4 (ens33): domain name 'localdomain'
Sep 23 10:48:08 localhost NetworkManager[787]: <info> [1506178088.2624] dhcp4 (ens33): state changed bound -> bound
Sep 23 10:48:08 localhost dbus[720]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Sep 23 10:48:08 localhost systemd: Starting Network Manager Script Dispatcher Service...
Sep 23 10:48:08 localhost dbus-daemon: dbus[720]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Sep 23 10:48:08 localhost dhclient[6933]: bound to 192.168.50.131 -- renewal in 806 seconds.
in /var/log/messages there might be sealert logs
sealert -l 6d267f14.......
Comments
Post a Comment