[Thinlinc-technical] audit issue
Samuel Mannehed
samuel at cendio.se
Tue Aug 5 12:37:26 CEST 2014
Hi,
> Hi there. I have a problem with thinlinc on audit enabled CentOS.
> Every Xvnc process generate records like below very frequently:
>
>
> type=CWD msg=audit(1406869742.166:10509503): cwd="/home/vlad"
> type=PATH msg=audit(1406869742.166:10509503): item=0
> name="/proc/2663/cmdline" inode=2303429124 dev=00:03 mode=0100444
> ouid=500 ogid=500 rdev=00:00
> obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> nametype=NORMAL type=SYSCALL msg=audit(1406869742.171:10509504):
> arch=c000003e syscall=2 success=yes exit=31 a0=7fff7863e990 a1=0
> a2=7fff7863e9a3 a3=0 items=1 ppid=2428 pid=2431 auid=500 uid=500
> gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
> tty=(none) ses=5 comm="Xvnc" exe="/opt/thinlinc/libexec/Xvnc"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
> Monitored process is firefox,metacity, gpk-updatge-icon. So, Xvnc just
> open cmdline in about 300 req/sec on system with two logged in users.
> Linux audit subsystem have no ability to disable events fot rhis type
> of record, due luck of ability to filter out subject path. Only one
> way now
> - disable processing for entire /proc, but this is unacceptable. Is
> any way to fix this strange activity?
I have no experience in kernel auditing and my collegues who probably
do are away on vacation at the moment.
But as far as I can see, this is not an issue we have seen before. I do
not know what can be causing it. Does these cmdline calls cause high
load or any other problems?
Regards,
--
Samuel Mannehed ThinLinc Developer
Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Linköping http://facebook.com/ThinLinc
Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc
More information about the Thinlinc-technical
mailing list