Re: audit log for "setenforce" changes?

From: Eric Paris <eparis_at_nospam>
Date: Sat Jan 12 2008 - 13:37:04 GMT
To: Chuck Anderson <cra@WPI.EDU>

On Fri, 2008-01-11 at 17:10 -0500, Chuck Anderson wrote:
> On Fri, Jan 11, 2008 at 04:16:21PM -0500, Stephen Smalley wrote:
> >
> > On Fri, 2008-01-11 at 16:06 -0500, Chuck Anderson wrote:
> > > Is there any way to tell from the audit log or elsewhere when
> > > someone/something changed SELinux from enforcing to permissive or vice
> > > versa?
> >
> > Look for MAC_STATUS records in the audit log, e.g.
> > /sbin/ausearch -m MAC_STATUS
> >
> > These include changes to enforcing mode, with the enforcing= and
> > old_enforcing= values.
>
> This doesn't work apparently:
>
> #cat /etc/fedora-release
> Fedora release 8 (Werewolf)
>
> #ausearch -m MAC_STATUS
> <no matches>
> #sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: targeted
> #setenforce 1
> #sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: targeted
> [root@gkar 17:09:19 /var/log/audit]#ausearch -m MAC_STATUS
> <no matches>
> #setenforce 0
> #sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: targeted
> #ausearch -m MAC_STATUS
> <no matches>

Do you have auditd running? If not look in dmesg or /var/log/messages instead of ausearch because it seems to be working fine for me....

[root@localhost ~]# cat /etc/fedora-release Fedora release 8 (Werewolf)
[root@localhost ~]# setenforce 1
[root@localhost ~]# ausearch -m MAC_STATUS

time->Sat Jan 12 08:33:04 2008
type=SYSCALL msg=audit(1200144784.891:24): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bf83f1e4 a2=1 a3=bf83f1e4 items=0 ppid=3155 pid=3394 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_STATUS msg=audit(1200144784.891:24): enforcing=0 old_enforcing=1 auid=500

time->Sat Jan 12 08:33:39 2008
type=SYSCALL msg=audit(1200144819.882:26): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfb534f4 a2=1 a3=bfb534f4 items=0 ppid=3155 pid=3399 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=MAC_STATUS msg=audit(1200144819.882:26): enforcing=1 old_enforcing=0 auid=500
[root@localhost ~]# -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list

This message: [ Message body ]
Next message: Christoph Höger: "Is 'search' on home_root_t always bad?"
Previous message: Chuck Anderson: "Re: audit log for "setenforce" changes?"
In reply to: Chuck Anderson: "Re: audit log for "setenforce" changes?"
Next in thread: Chuck Anderson: "Re: audit log for "setenforce" changes?"
Reply: Chuck Anderson: "Re: audit log for "setenforce" changes?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]