RE: FC4 and No logs and Audit-logs

From: Tomas Larsson (ktl_at_bornet.net)
Date: 07/23/05

  • Next message: Michael A. Peters: "Re: LibTunePimp aaargh!"
    To: "'For users of Fedora Core releases'" <fedora-list@redhat.com>
    Date: Sat, 23 Jul 2005 13:33:09 +0200
    
    
    
    

    Looking in the "/var/logs/audit/audit.log"

    I'll find the following entry:
    type=AVC msg=audit(1122113324.490:351515): avc: denied { read } for
    pid=2866 comm="syslogd" name="syslog.conf" dev=dm-0 ino=653814
    scontext=root:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t
    tclass=file
    type=SYSCALL msg=audit(1122113324.490:351515): arch=40000003 syscall=5
    success=no exit=-13 a0=2998c6 a1=0 a2=1b6 a3=98f1298 items=1 pid=2866
    auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
    comm="syslogd" exe="/sbin/syslogd"

    It seems that syslogd is denied to do its job.

    With best regards

    Tomas Larsson
    Sweden

    Verus Amicus Est Tamquam Alter Idem

    > -----Original Message-----
    > From: fedora-list-bounces@redhat.com
    > [mailto:fedora-list-bounces@redhat.com] On Behalf Of Tomas Larsson
    > Sent: Saturday, July 23, 2005 1:12 PM
    > To: 'For users of Fedora Core releases'
    > Subject: RE: FC4 and No logs
    >
    >
    > > -----Original Message-----
    > > From: fedora-list-bounces@redhat.com
    > > [mailto:fedora-list-bounces@redhat.com] On Behalf Of Tomas Larsson
    > > Sent: Saturday, July 23, 2005 9:09 AM
    > > To: 'For users of Fedora Core releases'
    > > Subject: RE: FC4 and No logs
    > >
    > >
    > > > -----Original Message-----
    > > > From: fedora-list-bounces@redhat.com
    > > > [mailto:fedora-list-bounces@redhat.com] On Behalf Of
    > Thomas Cameron
    > > > Sent: Saturday, July 23, 2005 1:33 AM
    > > > To: For users of Fedora Core releases
    > > > Subject: Re: FC4 and No logs
    > > >
    > > >
    > > > On Fri, 2005-07-22 at 21:29 +0200, Tomas Larsson wrote:
    > > > > By some strange reason, the logging seems to have
    > stopped, boot,
    > > > > messages, secure etc hasn't logged anything since yesterday.
    > > > >
    > > > > Anyone got any clues?
    > > > >
    > > > >
    > > > > With best regards
    > > > >
    > > > > Tomas Larsson
    > > > > Sweden
    > > > >
    > > > > Verus Amicus Est Tamquam Alter Idem
    > > >
    > > > That sounds like a potentially bad thing - some cracks involve
    > > > killing off logging so that the sysadmin can't see what
    > the bad guy
    > > > is doing. Are you sure your system isn't
    > > compromised?
    > > > --
    > > > Thomas Cameron, RHCE, CNE, MCSE, MCT
    > > > 512-241-0774 (office)
    > > > 512-924-8592 (cell)
    > > >
    > > > --
    > > > fedora-list mailing list
    > > > fedora-list@redhat.com
    > > > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
    > > >
    > >
    > >
    > > Cant think that it's being compromised (you never know, do
    > > you), got it
    > > upp and running same day.
    > > If it is compromised, then there is a serious flaw within FEDORA.
    > >
    > > My thinking is that I've done something else. Syslogd is
    > > running, so it
    > > must be something else, question is what though.
    > >
    > >
    > > With best regards
    > >
    > > Tomas Larsson
    > > Sweden
    > >
    > > Verus Amicus Est Tamquam Alter Idem
    > >
    >
    > When I do a "service syslog status", I'm getting the
    > following response Translated to English,
    >
    > Syslogd is dead, but PID exists
    > Klogd (pid 1512) is running
    >
    > On the console I'm getting "syslogd:0 /dev/console: permission denied"
    >
    > I'm starting to think that it might be selinux that has
    > screwed something up.
    >
    > With best regards
    >
    > Tomas Larsson
    > Sweden
    >
    > Verus Amicus Est Tamquam Alter Idem
    >

    
    

    
    

    -- 
    fedora-list mailing list
    fedora-list@redhat.com
    To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
    


  • Next message: Michael A. Peters: "Re: LibTunePimp aaargh!"