similar to: Interpreting audit logs?

Hi, I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive mode for debugging. I've removed FirewallD and replaced it with a custom-made Iptables script. I've also installed and configured Fail2ban (fail2ban-server package) to protect the server from brute force attacks. Out of the box, Fail2ban doesn't seem to play well with SELinux. Here's what I

PS: Now I found this: type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root

Daniel Walsh wrote: > On 09/22/2017 06:58 AM, hw wrote: >> >> PS: Now I found this: >> >> >> type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp >> type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1

Hi, Some time ago I had SELinux problems with Fail2ban. One of the users on this list suggested that it might be due to the fact that I'm using a bone-headed iptables script instead of FirewallD. I've spent the past few weeks getting up to date with doing things in a more orthodox manner. So currently my internet-facing CentOS server has a nicely configured NetworkManager, and

Hi, My apologies if this isn't the right place to ask this question. We have trying to setup auditing in Samba but can't seem to get it to work. The audit log file is empty and we see some entries about file/folders in the /var/log/samba/%m but not the actual audit bits. Can someone please assist or point in the correct direction? syslog = 0 log file = /var/log/samba/%m Log level = 0

Hello, I have a curious phenomenon. Dovecot logs normally to /var/log/maillog. If I restart my server, dovecot loggs to /var/log/audit/audit.log. If I restart dovecot, dovecot loggs to /var/log/maillog again. And I think, wenn logrotate is restarting, dovecot logs to audit.log. But I don't know why. Any Ideas? greetings Ralf

On Thursday, August 21, 2014 12:00:03 centos-request at centos.org wrote: > Re: [CentOS] SELinux vs. logwatch and virsh > From: Daniel J Walsh <dwalsh at redhat.com> > To: CentOS mailing list <centos at centos.org> > > On 08/18/2014 02:13 PM, Bill Gee wrote: > > Hi Dan - > > > > "ausearch -m avc -ts recent" produces no output. If I run it

On 09/20/2017 07:19 AM, hw wrote: > hw wrote: >> >> Hi, >> >> how do I allow CGI programs to print (using 'lpr -P some-printer >> some-file.pdf') when >> lighttpd is being used for a web server? >> >> When selinux is permissive, the printer prints; when it?s enforcing, >> the printer >> does not print, and I?m getting the log

Is it possible to audit the Linux User Shell? I am trying to gather what commands a user is running no our systems. Can auditd handle this? TIA -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070903/3d4d491d/attachment.html>

On Feb 26, 2020, at 08:52, Nicolas Kovacs <info at microlinux.fr> wrote: > >> Le 26/02/2020 ? 11:51, Nicolas Kovacs a ?crit : >> SELinux is preventing /usr/bin/python2.7 from read access on the file disable. >> ***** Plugin catchall (100. confidence) suggests ***** >> If you believe that python2.7 should be allowed read access on the disable file by default.

Hi. I'm seeing a lot of entries in /var/log/audit/audit.log acct=28756E6B6E6F776E207573657229 , which apparently means unknown user . Sample from the logs : type=USER_LOGIN msg=audit(1370998250.746:1622709): user pid=16762 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh

Hi Leon, I don't have access to a CentOS 6.10 system handy, but it looks like a policy issue. If I take you're ausearch output and pipe it to audit2allow on my CentOS 7.6 system, I get the following: #============= httpd_t ============== #!!!! This avc is allowed in the current policy allow httpd_t httpd_sys_script_t:process signull; Noting that on my 7.6 system with selinux enforcing

Any SElinux expert here - briefly: # getenforce Enforcing # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t <no output> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t <no output> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf -rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf -rw-r--r--. root root

I think the issue is permissions related. I changed the log location to /tmp/audit.log and now it is populating. What should be the permissions for /var/log/samba/audit.log? On Mon, May 7, 2018 at 12:29 AM, Robin G <robinghere3 at gmail.com> wrote: > Hi Rowland, > > Thank you. > > I tried both options. The following is using option 2 > [global] > vfs objects =

Hi, I've setup a transparent HTTP+HTTPS proxy on my server running CentOS 7, using Squid. Here's my configuration file. --8<---------------------------------------------------------------- # /etc/squid/squid.conf # D?finitions acl localnet src 192.168.2.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port

Hi all, I have some AVC in the logs and wonder how to resolve this: Under EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs. # tail -1 /etc/fstab tmpfs /var/lib/php/session tmpfs defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0" 0 0 # df -a |grep php tmpfs 16384 0 16384 0%

On Sat, 5 May 2018 11:11:21 -0300 "Ethy H. Brito via samba" <samba at lists.samba.org> wrote: > On Sat, 5 May 2018 23:40:47 +1000 > Robin G via samba <samba at lists.samba.org> wrote: > > ... > > > > full_audit:prefix = %u|%I|%S > > full_audit:failure = none > > full_audit:success = mkdir rmdir read pread write pwrite

Hi, In kubevirt we are running into a strange permission problem on libvirt-5.0. We see transient "Permission Denied" errors when "virAuditSend" wants to send an audit log. [1] shows the logs of one of these containers. Here an example: {"component":"virt-launcher","level":"warning","msg":"Failed to send audit message

This is.... odd. We're seeing a *lot* of sshd[8400]: Timeout, client not responding. So I'm trying to find out whose client is having issues. Trying to figure that, after processes are gone, I tried looking in lastlog, which is where it gets odd. lastlog shows root coming in, and it shows a security account coming in... years ago. I see one of our users logging in a goodly number of

On 30.07.2019 20:07, Tom Diehl via dovecot wrote: > > Does anyone have an Idea how to fix this? > > Regards, > Perhaps see if there are any denials in SELinux audit log: sudo grep denied /var/log/audit/audit.log | grep dovecot | audit2allow -a Good luck, Reio