Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/share/setools/ drwxr-xr-x | |
| Viewing file: Select action/file-type: Audit Log Analysis Tool for Security Enhanced Linux
seaudit, version 3.0
October 1, 2006
selinux@tresys.com
Overview:
---------
This file contains basic help information for using seaudit, an audit
log analysis tool for Security Enhanced Linux (SELinux) audit
messages.
The tool does not need to be installed on an SELinux system; it will
work on any Linux machine. The tool parses a given syslog and
extracts all load policy messages, AVC messages and change of Boolean
messages from conditional policies.
The tool has the following main functions:
1) Browse and sort SELinux audit messages.
2) Filter an audit log based on fields in the messages.
3) Query the policy based on data from a given audit message.
4) Export SELinux audit messages to a file.
5) Generate reports in HTML or plain text format from an entire log
or an seaudit view.
Log and Policy Files:
---------------------
The seaudit program accepts the following command line arguments to
open files at start-up. Zero, one, or both arguments will be
accepted.
-l[FILE], --log[=FILE] open log file named FILE
-p[FILE], --policy[=FILE] open policy file named FILE
The program provides you with the option of opening either a source or
binary policy file. If a policy is not specified at the command line,
seaudit will attempt to use the default policy location, as specified
during configuration time (e.g., ./configure --with-default-policy).
Note that seaudit does not require an open policy file; in this case
the user will not be able to use the query policy features of the
tool. Only one policy file and one audit log can be open at a time,
so if another one is opened the current one will be closed.
When opening a log file the user may get the warning "Warning! One or
more invalid messages found in audit log." This means that one or
more of the SELinux audit messages either was missing a standard
message field (e.g., time, hostname, access type, etc.) or:
1) A message had an unrecognized time stamp,
2) An AVC message did not contain permissions,
3) An AVC message was not labeled as denied or granted,
4) A load policy message was not in the correct form, (i.e., missing
a line or a data field), or
5) A Boolean message did not contain a list of Booleans.
The seaudit program will still attempt to display the remaining data
from the SELinux audit message in question along with all the other
SELinux messages in the log, but only if one of the following
sub-strings is found within the message:
"avc:" - indicates an access denied or granted message,
"security:" - indicates a load policy message, or
"committed Booleans" - indicates a committed Boolean(s) message.
Otherwise, these messages will not be extracted from the SELinux audit
log.
Menus:
------
The FILE menu allows the user to change the current policy file and/or
audit log. It also shows a list of recently opened files. The file
menu also allows the user to change preferences including default log,
default policy file, which columns to present when viewing audit logs,
and whether seaudit should enable real-time log monitoring upon
start-up. All of these settings will be saved and reloaded each time
seaudit is started.
The VIEW menu allows the user to display multiple views of a log. The
default view is created automatically once an audit log is opened.
Additional views can be created by selecting View->New under the VIEW
menu. Each tab can be sorted and filtered independently. The 'Save'
and 'Save As...' menu items allow the user to save settings for the
view to a file; 'Export View' menu item allows the user to export an
entire view (i.e., the audit messages contained in the view) to a
file. Alternatively, 'Export Selected Messages' exports only selected
messages to a file instead of the entire view. This menu also
provides the option of viewing an entire audit message within a
separate text box window as it is rendered in the actual audit log.
If multiple audit messages are selected, seaudit will use the top-most
selected audit message in the current view.
The SEARCH menu allows the user to filter the audit log (See Log Views
below) or query the policy (See Query Policy below).
Additionally, right-clicking on an audit message entry will display a
pop-up menu that allow the user to:
- View the entire message within a separate text box,
- Query the policy using the message, or
- Export all selected messages to a file.
The REPORT menu is used to create report files in HTML or plain text
format using an entire audit log or an seaudit view. (See Creating
Reports below).
Sorting:
--------
By default the messages are sorted in chronological order. To sort by
a particular field click on the column heading. The only column that
cannot be sorted upon is the 'Other' column. Only one level of
sorting can be performed at this time. The file KNOWN-BUGS describes
a particular instance where the sort order may be misleading.
Log Monitoring:
---------------
The 'Toggle Monitor' button turns on and off the real-time log
monitoring feature. The monitor status label in the lower right-hand
corner of the status bar will display 'OFF' or 'ON' as appropriate.
When this feature is on, seaudit checks for new messages at a regular
interval, per second by default. This interval can be configured from
the Preferences dialog. As new messages are added to the currently
loaded log file, they will be displayed according to the filter and
sorting selections for the current view.
Query Policy:
-------------
The 'Query Policy' button opens a new dialog box that contains two
tabs. From the first tab, 'Query Policy', the user enters search
criteria similar to those in apol's TE Rules query. If an audit
message was selected prior to clicking on this button, the search
criteria are filled in based on the message. Otherwise, all the
criteria are blank. For each combobox, the user may enter a regular
expression; he may also choose a entry from the drop-down box.
The 'Only show direct matches' checkbox alters the meaning of the
search. By default the search returns rules that have either the
provided type or any of the type's attributes in the appropriate
field. If this checkbox is enabled then the search will only find
that type; it ignores the type's attributes.
Invoking the 'Query Policy' button will perform the search and return
a list of matching rules. If the currently opened policy file is a
source policy, the displayed rules will contain hyperlinks to the
appropriate line in the policy.conf tab .
The second tab, 'policy.conf', provides a convenient display of the
raw policy.conf source file and is only available when opening a
source policy file.
The seaudit program provides limited searching. More thorough policy
searches and analyses may be conducted through the companion tool,
apol.
Log Views:
----------
The 'Modify View' button opens a dialog box that lets the user modify
a list of filters for the current view of the audit log. At the top
of the dialog box is a drop-down menu that has four different ways to
apply the filters. Log entries matching a filter may be either shown
or hidden; entries can match any or all of the filters. Individual
filters may be added, edited, removed, imported, or exported from this
dialog. Additionally, from this dialog the user can save to a file
the view's settings.
Click on the 'Apply' button to apply the filters for the associated
view; simply hitting 'Close' will not adjust the current view.
Modifying Filters Within A View:
--------------------------------
To add a new filter, first select the view for which the filter is
needed by clicking on the corresponding tab then click on the 'Modify
View' button and then 'Add'. Within this new dialog, edit the various
properties of a filter such as its name, description, source context,
target context, object type, etc.
Use the 'Context' tab to enter values for part or all of the source
and target context, as well as the object class. Only exact matches
and/or glob expressions (see Globbing Expressions below) are accepted
for fields on this tab; no regular expressions are permitted. Either
enter the values manually with a comma between entries or click on the
button (e.g., Types) and get another dialog that has a list of all
valid entries. This list can be populated by values from the log, the
policy, or the union of the log and policy, by selecting the
appropriate radio button.
Use the 'Other' tab to filter by networking criteria (i.e., IP
address, port and/or interface). The IP addresses require an exact
match or a regular expression; however, Port and Interface are by
exact match only. The user can also filter by executable, path,
and/or hostname from this tab. These fields accept either an exact
match or a glob expression (see Globbing Expressions below).
The filter criteria provided are saved automatically when this dialog
is closed. A click on the 'Clear Values' button at the bottom of
either tab clears the values in the current tab only.
Globbing Expressions:
---------------------
Using glob expressions allows one to construct more flexible search
filters by allowing for pattern expansion instead of just static
strings. There are several different methods of glob syntax that are
supported by seaudit.
(1) Wildcard Matching
String containing the characters '?' and '*' are said to contain
wildcard characters. While, both are considered wildcards they allow
for different functionality.
(a) The '?' character matches any character.
example: ?at matches the strings aat, bat, cat, etc.
(b) The '*' matches any string.
example: sys* matches the strings system, sysadmin, etc.
(2) Character Classes
Character classes are used when one desires to find certain
characters, at a certain position within a string. The '[' character
is used to begin a character class and the ']' character is used to
end the class. The characters in the string contained between the two
brackets comprise the character class, which can NOT be empty.
example: e[abz]x matches the strings eax, ebx, ezx
(3) Ranges
Ranges are an extension of character classes which allow one to allow
for finding a certain sequential set of characters at any point in the
string. The '-' character is used to indicate a range of characters,
where the character to the left of the '-' is the beginning and the
character to the right of the '-' is the end. Multiple ranges can be
used within the same character class.
example: a[b-e]f matches the strings abf, acf, adf, aef
example: 1[2-36-8]9 matches the strings 129, 139, 169, 179, 189
(4) Complementation
Complementation allows for searching using the complement of any given
character class or range. The character '!' must be the first
character after '[' when one desires to use a complementation. When
using complementations the complement of the string enclosed in the
brackets after the '!' character is used.
example: a[!b-y]z matches all three-character strings starting
with a followed by any character not occurring between b
and y (inclusive), and ending in z
example: a[!c-ik-y]z matches all three-character string starting
with a followed by any character not occurring between c
and i (inclusive) or between k and y (inclusive), and
ending in z
*** CAUTION ***
The seaudit program intersperses the use of regular expressions versus
glob expressions. For example, the 'Edit Filter' dialog may allow
only regular expressions for certain criteria, whereas for other
criteria, it may only allow exact matches or the use of a glob
expression. The 'Query Policy' dialog only allows the use of regular
expressions or an exact match for search criteria, not glob
expressions. Additionally, note that all characters used in glob
expressions are case sensitive.
Status Bar:
-----------
At the bottom of seaudit is a status bar. In the left corner it
displays the approximate version of the policy you have loaded along
with the policy type (binary or source). The middle displays the
number of log messages displayed and the total number of SELinux
messages in the audit log. The next label shows the span of the dates
in the audit log and the right-most label shows the status of the
real-time log monitor.
Creating Reports:
-----------------
From the REPORT menu the user can create report files in HTML or plain
text format using an entire audit log or an seaudit view. Select the
'Create Report' menu item to display a dialog for making
configurations to the report and then save the report to a file.
The input frame consists of options for indicating whether to use the
entire audit report or to use the messages displayed in the current
log view as input to the report. Also, there is an option for
including malformed messages within the report (see the previous 'Log
and Policy Files' heading for what makes up a malformed message in
seaudit). This option is only enabled when the radio button for using
the entire audit log is selected.
The output frame contains radio buttons for specifying the format of
the report, HTML or plain text. Additionally, an entry box is
provided in this frame for specifying a style sheet to use when
creating an HTML report. There also is an entry box for specifying
the configuration file to use for creating the report. If the style
sheet or the configuration file is not specified, seaudit will use the
appropriate system default files. If a report configuration file
cannot be located at this point, an error will be generated. The
default values for the style sheet and configuration file may be
changed from the Preferences dialog.
The seaudit report configuration file may be configured to affect
information presented in reports. The seaudit report feature is
dependent upon this file in order to successfully generate reports.
From this file, one can configure various sections for the report, as
well as create custom sections in the report through the use of saved
seaudit view files. Review the default seaudit-report.conf file that
comes packaged with the SETools distribution for more information.
This file can be located in the shared data directory where seaudit
was installed, typically /usr/local/share/setools-<version>.
|
:: Command execute :: | |
:: Shadow's tricks :D :: | |
Useful Commands
|
|
:: Preddy's tricks :D :: | |
Php Safe-Mode Bypass (Read Files)
|
|
--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0061 ]-- |