Rob's web

Audit

The Linux Audit system provides a way to track security-relevant information on your system. Based on pre-configured rules, Audit generates log entries to record as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed. Audit does not provide additional security to your system; rather, it can be used to discover violations of security policies used on your system. These violations can further be prevented by additional security measures such as SELinux.

Prerequisites

Install the one package that will make your life eternally easier:

# dnf install policycoreutils-python-utils

Audit2why

Translates SELinux audit messages into a description of why the access was denied

Description

This utility processes SELinux audit messages from standard input and and reports which component of the policy caused each permission denial based on the specified policy file if the -p option was used or the active policy otherwise. There are three possible causes:

  1. a missing or disabled TE allow rule,
  2. a constraint violation, or
  3. a missing role allow rule.

In the first case, the TE allow rule may exist in the policy but may be disabled due to boolean settings. See booleans(8). If the allow rule is not present at all, it can be generated via audit2allow. In the second case, a constraint is being violated; see policy/constraints or policy/mls to identify the particular constraint. Typically, this can be resolved by adding a type attribute to the domain. In the third case, a role transition was attempted but no allow rule existed for the role pair. This can be resolved by adding an allow rule for the role pair to the policy.

# audit2why < /var/log/audit/audit.log
type=AVC msg=audit(1741055597.883:2167): avc:  denied  { open } for  pid=8435 comm="cleanup" path="/etc/my.cnf" dev="sdb3"
ino=134248978 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.

Audit2allow

# audit2allow -i /var/log/audit/audit.log


#============= awstats_t ==============

#!!!! This avc is allowed in the current policy
allow awstats_t node_t:udp_socket node_bind;

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t unconfined_service_t:unix_stream_socket connectto;

#============= postfix_cleanup_t ==============
allow postfix_cleanup_t mysqld_etc_t:file open;

Using audit2allow to generate and build module policy

# cat /var/log/audit/audit.log | audit2allow -M local
.....
# semodule -i local.pp

Links