Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/share/setools/ drwxr-xr-x |
Viewing file: seaudit_help.txt (14.09 KB) -rw-r--r-- Select action/file-type: (+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) | Audit Log Analysis Tool for Security Enhanced Linux seaudit, version 3.0 October 1, 2006 selinux@tresys.com Overview: --------- This file contains basic help information for using seaudit, an audit log analysis tool for Security Enhanced Linux (SELinux) audit messages. The tool does not need to be installed on an SELinux system; it will work on any Linux machine. The tool parses a given syslog and extracts all load policy messages, AVC messages and change of Boolean messages from conditional policies. The tool has the following main functions: 1) Browse and sort SELinux audit messages. 2) Filter an audit log based on fields in the messages. 3) Query the policy based on data from a given audit message. 4) Export SELinux audit messages to a file. 5) Generate reports in HTML or plain text format from an entire log or an seaudit view. Log and Policy Files: --------------------- The seaudit program accepts the following command line arguments to open files at start-up. Zero, one, or both arguments will be accepted. -l[FILE], --log[=FILE] open log file named FILE -p[FILE], --policy[=FILE] open policy file named FILE The program provides you with the option of opening either a source or binary policy file. If a policy is not specified at the command line, seaudit will attempt to use the default policy location, as specified during configuration time (e.g., ./configure --with-default-policy). Note that seaudit does not require an open policy file; in this case the user will not be able to use the query policy features of the tool. Only one policy file and one audit log can be open at a time, so if another one is opened the current one will be closed. When opening a log file the user may get the warning "Warning! One or more invalid messages found in audit log." This means that one or more of the SELinux audit messages either was missing a standard message field (e.g., time, hostname, access type, etc.) or: 1) A message had an unrecognized time stamp, 2) An AVC message did not contain permissions, 3) An AVC message was not labeled as denied or granted, 4) A load policy message was not in the correct form, (i.e., missing a line or a data field), or 5) A Boolean message did not contain a list of Booleans. The seaudit program will still attempt to display the remaining data from the SELinux audit message in question along with all the other SELinux messages in the log, but only if one of the following sub-strings is found within the message: "avc:" - indicates an access denied or granted message, "security:" - indicates a load policy message, or "committed Booleans" - indicates a committed Boolean(s) message. Otherwise, these messages will not be extracted from the SELinux audit log. Menus: ------ The FILE menu allows the user to change the current policy file and/or audit log. It also shows a list of recently opened files. The file menu also allows the user to change preferences including default log, default policy file, which columns to present when viewing audit logs, and whether seaudit should enable real-time log monitoring upon start-up. All of these settings will be saved and reloaded each time seaudit is started. The VIEW menu allows the user to display multiple views of a log. The default view is created automatically once an audit log is opened. Additional views can be created by selecting View->New under the VIEW menu. Each tab can be sorted and filtered independently. The 'Save' and 'Save As...' menu items allow the user to save settings for the view to a file; 'Export View' menu item allows the user to export an entire view (i.e., the audit messages contained in the view) to a file. Alternatively, 'Export Selected Messages' exports only selected messages to a file instead of the entire view. This menu also provides the option of viewing an entire audit message within a separate text box window as it is rendered in the actual audit log. If multiple audit messages are selected, seaudit will use the top-most selected audit message in the current view. The SEARCH menu allows the user to filter the audit log (See Log Views below) or query the policy (See Query Policy below). Additionally, right-clicking on an audit message entry will display a pop-up menu that allow the user to: - View the entire message within a separate text box, - Query the policy using the message, or - Export all selected messages to a file. The REPORT menu is used to create report files in HTML or plain text format using an entire audit log or an seaudit view. (See Creating Reports below). Sorting: -------- By default the messages are sorted in chronological order. To sort by a particular field click on the column heading. The only column that cannot be sorted upon is the 'Other' column. Only one level of sorting can be performed at this time. The file KNOWN-BUGS describes a particular instance where the sort order may be misleading. Log Monitoring: --------------- The 'Toggle Monitor' button turns on and off the real-time log monitoring feature. The monitor status label in the lower right-hand corner of the status bar will display 'OFF' or 'ON' as appropriate. When this feature is on, seaudit checks for new messages at a regular interval, per second by default. This interval can be configured from the Preferences dialog. As new messages are added to the currently loaded log file, they will be displayed according to the filter and sorting selections for the current view. Query Policy: ------------- The 'Query Policy' button opens a new dialog box that contains two tabs. From the first tab, 'Query Policy', the user enters search criteria similar to those in apol's TE Rules query. If an audit message was selected prior to clicking on this button, the search criteria are filled in based on the message. Otherwise, all the criteria are blank. For each combobox, the user may enter a regular expression; he may also choose a entry from the drop-down box. The 'Only show direct matches' checkbox alters the meaning of the search. By default the search returns rules that have either the provided type or any of the type's attributes in the appropriate field. If this checkbox is enabled then the search will only find that type; it ignores the type's attributes. Invoking the 'Query Policy' button will perform the search and return a list of matching rules. If the currently opened policy file is a source policy, the displayed rules will contain hyperlinks to the appropriate line in the policy.conf tab . The second tab, 'policy.conf', provides a convenient display of the raw policy.conf source file and is only available when opening a source policy file. The seaudit program provides limited searching. More thorough policy searches and analyses may be conducted through the companion tool, apol. Log Views: ---------- The 'Modify View' button opens a dialog box that lets the user modify a list of filters for the current view of the audit log. At the top of the dialog box is a drop-down menu that has four different ways to apply the filters. Log entries matching a filter may be either shown or hidden; entries can match any or all of the filters. Individual filters may be added, edited, removed, imported, or exported from this dialog. Additionally, from this dialog the user can save to a file the view's settings. Click on the 'Apply' button to apply the filters for the associated view; simply hitting 'Close' will not adjust the current view. Modifying Filters Within A View: -------------------------------- To add a new filter, first select the view for which the filter is needed by clicking on the corresponding tab then click on the 'Modify View' button and then 'Add'. Within this new dialog, edit the various properties of a filter such as its name, description, source context, target context, object type, etc. Use the 'Context' tab to enter values for part or all of the source and target context, as well as the object class. Only exact matches and/or glob expressions (see Globbing Expressions below) are accepted for fields on this tab; no regular expressions are permitted. Either enter the values manually with a comma between entries or click on the button (e.g., Types) and get another dialog that has a list of all valid entries. This list can be populated by values from the log, the policy, or the union of the log and policy, by selecting the appropriate radio button. Use the 'Other' tab to filter by networking criteria (i.e., IP address, port and/or interface). The IP addresses require an exact match or a regular expression; however, Port and Interface are by exact match only. The user can also filter by executable, path, and/or hostname from this tab. These fields accept either an exact match or a glob expression (see Globbing Expressions below). The filter criteria provided are saved automatically when this dialog is closed. A click on the 'Clear Values' button at the bottom of either tab clears the values in the current tab only. Globbing Expressions: --------------------- Using glob expressions allows one to construct more flexible search filters by allowing for pattern expansion instead of just static strings. There are several different methods of glob syntax that are supported by seaudit. (1) Wildcard Matching String containing the characters '?' and '*' are said to contain wildcard characters. While, both are considered wildcards they allow for different functionality. (a) The '?' character matches any character. example: ?at matches the strings aat, bat, cat, etc. (b) The '*' matches any string. example: sys* matches the strings system, sysadmin, etc. (2) Character Classes Character classes are used when one desires to find certain characters, at a certain position within a string. The '[' character is used to begin a character class and the ']' character is used to end the class. The characters in the string contained between the two brackets comprise the character class, which can NOT be empty. example: e[abz]x matches the strings eax, ebx, ezx (3) Ranges Ranges are an extension of character classes which allow one to allow for finding a certain sequential set of characters at any point in the string. The '-' character is used to indicate a range of characters, where the character to the left of the '-' is the beginning and the character to the right of the '-' is the end. Multiple ranges can be used within the same character class. example: a[b-e]f matches the strings abf, acf, adf, aef example: 1[2-36-8]9 matches the strings 129, 139, 169, 179, 189 (4) Complementation Complementation allows for searching using the complement of any given character class or range. The character '!' must be the first character after '[' when one desires to use a complementation. When using complementations the complement of the string enclosed in the brackets after the '!' character is used. example: a[!b-y]z matches all three-character strings starting with a followed by any character not occurring between b and y (inclusive), and ending in z example: a[!c-ik-y]z matches all three-character string starting with a followed by any character not occurring between c and i (inclusive) or between k and y (inclusive), and ending in z *** CAUTION *** The seaudit program intersperses the use of regular expressions versus glob expressions. For example, the 'Edit Filter' dialog may allow only regular expressions for certain criteria, whereas for other criteria, it may only allow exact matches or the use of a glob expression. The 'Query Policy' dialog only allows the use of regular expressions or an exact match for search criteria, not glob expressions. Additionally, note that all characters used in glob expressions are case sensitive. Status Bar: ----------- At the bottom of seaudit is a status bar. In the left corner it displays the approximate version of the policy you have loaded along with the policy type (binary or source). The middle displays the number of log messages displayed and the total number of SELinux messages in the audit log. The next label shows the span of the dates in the audit log and the right-most label shows the status of the real-time log monitor. Creating Reports: ----------------- From the REPORT menu the user can create report files in HTML or plain text format using an entire audit log or an seaudit view. Select the 'Create Report' menu item to display a dialog for making configurations to the report and then save the report to a file. The input frame consists of options for indicating whether to use the entire audit report or to use the messages displayed in the current log view as input to the report. Also, there is an option for including malformed messages within the report (see the previous 'Log and Policy Files' heading for what makes up a malformed message in seaudit). This option is only enabled when the radio button for using the entire audit log is selected. The output frame contains radio buttons for specifying the format of the report, HTML or plain text. Additionally, an entry box is provided in this frame for specifying a style sheet to use when creating an HTML report. There also is an entry box for specifying the configuration file to use for creating the report. If the style sheet or the configuration file is not specified, seaudit will use the appropriate system default files. If a report configuration file cannot be located at this point, an error will be generated. The default values for the style sheet and configuration file may be changed from the Preferences dialog. The seaudit report configuration file may be configured to affect information presented in reports. The seaudit report feature is dependent upon this file in order to successfully generate reports. From this file, one can configure various sections for the report, as well as create custom sections in the report through the use of saved seaudit view files. Review the default seaudit-report.conf file that comes packaged with the SETools distribution for more information. This file can be located in the shared data directory where seaudit was installed, typically /usr/local/share/setools-<version>. |
:: Command execute :: | |
:: Shadow's tricks :D :: | |
Useful Commands
|
:: Preddy's tricks :D :: | |
Php Safe-Mode Bypass (Read Files)
|
--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0132 ]-- |