Impactcore: Linux notes for a Systems Administrator: February 2012

Thursday, February 16, 2012

Add date to Bash History

In order to add a date stamp to your bash history add the following two lines to your .bash_profile:

HISTTIMEFORMAT='%F %T '

export HISTTIMEFORMAT

Alternativelly, you can set this variable globally and have all history files keep the data by setting these two lines in a file under the /etc/profile.d directory.

echo "HISTTIMEFORMAT='%F %T '" > /etc/profile.d/histtimestamps.sh

# echo "export HISTTIMEFORMAT" >> /etc/profile.d/histtimestamps.sh

# chmod +x /etc/profile.d/histtimestamps.sh

Your history will look like this:

...

902  2012-02-16 09:50:33 cd /var/log

903  2012-02-16 09:50:33 ll

904  2012-02-16 09:50:33 ls -lat | sort -t

905  2012-02-16 09:50:33 ls -lat

...

Monday, February 13, 2012

Build an SELinux policy from an audit log

Often certain commands in linux will simply fail without any messages in /var/log/messages, or seemingly anywhere else... where we usually check. However, if you look at the selinux audit logs, sometimes the error messages are there. /var/log/audit/audit.log.

For example, every once in a while after a kernel update, I can't use the talk program. It simply says the connection is being refused by the other use. Since I already know Selinux is the culprit I grep the logs:

grep -i talkd /var/log/audit/audit.log

The result:

type=AVC msg=audit(1329155365.865:143): avc:  denied  { open } for  pid=5631 comm="in.ntalkd" name="1" dev=devpts ino=4 scontext=system_u:system_r:ktalkd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1329155365.865:143): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc83c0eb8 a1=101 a2=7fffc83c0ec3 a3=7fffc83c0690 items=0 ppid=5630 pid=5631 auid=4294967295 uid=99 gid=5 euid=99 suid=99 fsuid=99 egid=5 sgid=5 fsgid=5 tty=(none) ses=4294967295 comm="in.ntalkd" exe="/usr/sbin/in.ntalkd" subj=system_u:system_r:ktalkd_t:s0-s0:c0.c1023 key=(null)

Two entries showing that talk is denied. If you really want to authorize this process grep the tail end of the file and use audit2allow to generate a policy file that will allow this.

tail /var/log/audit/audit.log | grep '1329155365.865:143' | audit2allow -M talkpolicy

audit2allow generates a talkpolicy.pp file and will also give you instructions on how to activate it. That would be:

semodule -i talkpolicy.pp

This will take a minute or two and has effectively authorized the blocked program to run.