What does this AVC means

All the general questions related to AVC / SYSCALL / Policy / Boolean

Moderator: xeont

What does this AVC means

Postby pri » Thu May 29, 2014 8:56 am

Hi,

How to read this log message?

type=CRYPTO_KEY_USER msg=audit(1401283789.302:238081): user pid=12718 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=f2:d2:d5:63:9c:9f:59:e2:64:ca:45:4c:e0:54:c6:c3 direction=? spid=12718 suid=0 exe="/usr/sbin/sshd" hostname=? addr=xxx.xx.xxx.xxx terminal=? res=success'

Did anyone login to SSH? as a root?

how to find the time and date from this?

Thank you
pri
 
Posts: 3
Joined: Wed Aug 14, 2013 6:22 am

Re: What does this AVC means

Postby dpquigl » Thu May 29, 2014 10:13 am

First off that isn't an AVC. Its just a normal audit message. You need to look up what creates audit log messages of type CRYPTO_KEY_USER. You can use ausearch -i to get a human readable time and date for the audit record. It looks like an AVC message because it includes the subject of what caused the audit log but it isn't actually an SELinux AVC.
dpquigl
 
Posts: 2
Joined: Wed Jul 03, 2013 8:30 pm

Re: What does this AVC means

Postby pri » Sat May 31, 2014 2:20 am

Thank you for your reply dpquigl.

I did a ausearch -i and found the date and time.

Problem this is the same message i get when i login to SSH but i have few of these messages from different IPs.

but when I do a

#last root

It only show root login with my IP.

Just wondering what is going on.
pri
 
Posts: 3
Joined: Wed Aug 14, 2013 6:22 am


Return to General Questions Related to AVC / SYSCALL / Policy / Boolean

Who is online

Users browsing this forum: No registered users and 1 guest