fapolicyd, добавив программу

Я пытаюсь расшифровать журналы аудита.

Я единственный пользователь папки, но есть несколько учетных записей. Мой сервер настроен как веб-сервер с Webmin / Virtualmin. У меня настроено несколько непривилегированных учетных записей (без доступа к оболочке), и UID в этих журналах аудита поступает от одной из этих учетных записей. Я пытаюсь понять, что вызывает эти сообщения.

Вроде что-то пытается использовать systemd? Я не уверен, почему он отображается как ‘(ystemctl)’

----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.887:649076): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.887:649076): item=0 name="/sys/fs/cgroup/cpu/cgroup.procs" inode=2 dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.887:649076): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.887:649076): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6edb120 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.888:649077): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.888:649077): item=0 name="/sys/fs/cgroup/cpuacct/cgroup.procs" inode=2 dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.888:649077): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.888:649077): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6edb120 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.890:649081): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.890:649081): item=0 name="/sys/fs/cgroup/blkio/cgroup.procs" inode=2 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.890:649081): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.890:649081): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6edb120 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.891:649082): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.891:649082): item=0 name="/sys/fs/cgroup/memory/user.slice/user-1006.slice/user@1006.service/cgroup.procs" inode=1446660 dev=00:23 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.891:649082): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.891:649082): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6eadb70 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.891:649083): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.891:649083): item=0 name="/sys/fs/cgroup/memory/user.slice/user-1006.slice/cgroup.procs" inode=1446564 dev=00:23 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.891:649083): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.891:649083): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6e92e20 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.892:649084): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.892:649084): item=0 name="/sys/fs/cgroup/memory/user.slice/cgroup.procs" inode=1540 dev=00:23 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.892:649084): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.892:649084): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6ec23f0 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.892:649085): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.892:649085): item=0 name="/sys/fs/cgroup/memory/cgroup.procs" inode=2 dev=00:23 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.892:649085): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.892:649085): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6edb120 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.893:649086): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.893:649086): item=0 name="/sys/fs/cgroup/devices/user.slice/cgroup.procs" inode=1404 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.893:649086): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.893:649086): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6ec23f0 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.893:649089): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.893:649089): item=0 name="/sys/fs/cgroup/devices/cgroup.procs" inode=2 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.893:649089): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.893:649089): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6edb120 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.894:649091): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.894:649091): item=0 name="/sys/fs/cgroup/pids/user.slice/user-1006.slice/user@1006.service/cgroup.procs" inode=361665 dev=00:21 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.894:649091): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.894:649091): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6eadb70 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.895:649094): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.895:649094): item=0 name="/sys/fs/cgroup/pids/user.slice/user-1006.slice/cgroup.procs" inode=361641 dev=00:21 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.895:649094): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.895:649094): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6e92e20 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.897:649095): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.897:649095): item=0 name="/sys/fs/cgroup/pids/user.slice/cgroup.procs" inode=385 dev=00:21 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.897:649095): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.897:649095): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6ec23f0 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:29 2021
node=srv1 type=PROCTITLE msg=audit(1626208169.897:649096): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208169.897:649096): item=0 name="/sys/fs/cgroup/pids/cgroup.procs" inode=2 dev=00:21 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208169.897:649096): cwd="/"
node=srv1 type=SYSCALL msg=audit(1626208169.897:649096): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5605e6edb120 a2=80101 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="(ystemctl)" exe="/usr/lib/systemd/systemd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-modification"
----
time->Tue Jul 13 16:29:30 2021
node=srv1 type=PROCTITLE msg=audit(1626208170.128:649190): proctitle="(ystemctl)"
node=srv1 type=PATH msg=audit(1626208170.128:649190): item=0 name="/proc/1/environ" inode=6065153 dev=00:05 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=srv1 type=CWD msg=audit(1626208170.128:649190): cwd="/home/naperplace"
node=srv1 type=SYSCALL msg=audit(1626208170.128:649190): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffcefc38b70 a2=80000 a3=0 items=1 ppid=488626 pid=488632 auid=1006 uid=1006 gid=1005 euid=1006 suid=1006 fsuid=1006 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4923 comm="systemctl" exe="/usr/bin/systemctl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="unsuccesful-access"

Журнал FAPOLCIYD. Обратите внимание, что в настоящее время у меня установлен разрешающий режим, поэтому он ничего не блокирует.

правило = 3: deny_syslog perm = любой шаблон = ld_so: all

fapolicyd[375960]: rule=3 dec=deny_syslog perm=execute auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/ld-2.28.so ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/ld-2.28.so ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib/systemd/libsystemd-shared-239.so ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/etc/ld.so.cache ftype=application/octet-stream
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libgcc_s-8-20210514.so.1 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libpthread-2.28.so ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libc-2.28.so ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/librt-2.28.so ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libcap.so.2.26 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libacl.so.1.1.2253 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libcryptsetup.so.12.6.0 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libgcrypt.so.20.2.5 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libseccomp.so.2.5.1 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libselinux.so.1 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libidn2.so.0.3.6 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/liblzma.so.5.2.4 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/liblz4.so.1.8.3 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libblkid.so.1.1.0 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libmount.so.1.1.0 ftype=application/x-sharedlib
fapolicyd[375960]: rule=3 dec=deny_syslog perm=open auid=1006 pid=488632 exe=/usr/lib/systemd/systemd : path=/usr/lib64/libattr.so.1.1.2448 ftype=application/x-sharedlib

0

Добавить комментарий

Ваш адрес email не будет опубликован.