[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] FW: /etc/init.d/ossec uid is 1000

Subject: [Ossec-list] FW: /etc/init.d/ossec uid is 1000
From: oleksander.panchuk at cbn-cis.org (Oleksander Panchuk)
Date: Mon, 22 May 2006 14:57:51 +0300

Hello Kayvan.

There is one thing yet.

I am looking at audit.log and see some more problems.

I am afraid it was happened after installing ossec.

type=USER_CHAUTHTOK msg=audit(1147873219.824:1388): user pid=6677 uid=0
auid=500 msg='op=adding group acct=ossec exe="/usr/sbin/groupadd"
(hostname=?, addr=?, terminal=pts/2 res=success)'

and below 

type=AVC msg=audit(1147875302.562:1492): avc:  denied  { read } for
pid=1873 comm="snmpd"
name="hosts.deny" dev=dm-0 ino=8912917 scontext=system_u:system_r:snmpd_t:s0
tcontext=user_
u:object_r:tmp_t:s0 tclass=file

type=AVC msg=audit(1147875302.562:1493): avc:  denied  { getattr } for
pid=1873 comm="snmp
d" name="hosts.deny" dev=dm-0 ino=8912917
scontext=system_u:system_r:snmpd_t:s0 tcontext=us
er_u:object_r:tmp_t:s0 tclass=file

type=AVC msg=audit(1147875724.663:1521): avc:  denied  { read } for
pid=7525 comm="vsftpd"
 name="hosts.deny" dev=dm-0 ino=8912917 scontext=system_u:system_r:ftpd_t:s0
tcontext=user_
u:object_r:tmp_t:s0 tclass=file

There are a lot of those messages.

I looked at /etc/hosts.deny

> ls -Z 
-rw-r--r--  root     ossec    system_u:object_r:initrc_tmp_t
/etc/hosts.deny

What do you think about it?

Best Regards,
Aleksander.

> -----Original Message-----
> From: Oleksander Panchuk [mailto:oleksander.panchuk at cbn-cis.org]
> Sent: Friday, May 19, 2006 5:20 PM
> To: 'Kayvan A. Sylvan'
> Cc: 'ossec-list at ossec.net'
> Subject: RE: [Ossec-list] /etc/init.d/ossec uid is 1000
> 
> Thank you very much Kayvan.
> 
> It's happened only one time.
> 
> I run
> >/usr/sbin/audit2why < /var/log/audit.log
> 
> type=AVC msg=audit(1147955658.066:3615): avc:  denied  { recvfrom } for
> pid=2376 comm="ossec-analysisd" scontext=system_u:object_r:unlabeled_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
>         Was caused by:
>                 Missing or disabled TE allow rule.
>                 Allow rules may exist but be disabled by boolean settings;
> check boolean settings.
>                 You can see the necessary allow rules by running
> audit2allow with this audit message as input.
> 
> 
> 
> And "audit2allow" told
> allow unlabeled_t self:association recvfrom;
> 
> Best regards,
> Oleksander.
> 
> > -----Original Message-----
> > From: Kayvan A. Sylvan [mailto:kayvan at sylvan.com]
> > Sent: Friday, May 19, 2006 2:06 AM
> > To: Oleksander Panchuk; ossec-list at ossec.net
> > Subject: Re: [Ossec-list] /etc/init.d/ossec uid is 1000
> >
> > Hi Oleksander,
> >
> > Run
> >
> >   /usr/sbin/audit2why < /var/log/audit.log
> >
> > And tell us what you see.
> >
> > I am running FC4 with the targeted policy and have no problems.
> >
> > 			---Kayvan
> >
> > __________ NOD32 1.1548 (20060519) Information __________
> >
> > This message was checked by NOD32 antivirus system.
> >   part000.txt - is OK
> >
> > http://www.eset.com

Prev by Date: [Ossec-list] Log analysis for Intrusion detection document.
Next by Date: [Ossec-list] adduser problem in latest OSSEC
Previous by thread: [Ossec-list] Log analysis for Intrusion detection document.
Next by thread: [Ossec-list] adduser problem in latest OSSEC
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.