Dispatcher - single line output (perl)

Tue Aug 8 01:32:12 UTC 2006

All,

Some of you may remember the post a month or two back about an audit
dispatcher that converts the output of auditd, into
one-line-per-event/one-event-per-line.

I've reached an alpha state for this program, and would appreciate
comments/suggestions etc.

Features:
* Takes the output from auditd, and migrates the data into something
that is suitable for applications that expect an event to be self
contained on a single line.
* Tries to extrapolate usernames from userids (using an internal cache
if it can, to cut down on the getpw* calls) so that a centralised
audit collection system doesn't have to keep a UID->username mappings
for all systems.
* Turns eventID numbers into event names (multi-arch compatible).
* Filters audit log data based on administrator-configurable objectives.
* Automatically turns on events as appropriate, based on the
administrators defined objectives.
* Internal/Embedded web server for remote control of the audit
configuration, and (to a certain extent) review of the most recently
received audit events. Fully contained within the code - no external
files accessed to build the web pages (except the config file). The
http server can be password protected, and has a basic IP-based access
control capability.
* Sends audit data to a specified IP address/port combination (snare
format, or syslog format), or local file (though this isn't supported
in the web-gui).

Installation:
$ tar xzf SnareLinux-1.0.tar.gz
$ make
# cp /etc/audit.rules /etc/audit.rules-`date "+%Y%m%d"`
# cp /etc/auditd.conf /etc/auditd.conf-`date "+%Y%m%d"`
# make install

# vi /etc/snare.conf
.. uncomment:
   #        allow=1

# /etc/init.d/auditd restart

(make uninstall will revert).

Point a browser at port 6161 of the target machine, and
configure/manage appropriately.

If you don't want to fire up a syslog server, or snare micro server to
receive events, feel free to run something like this for testing:
$ socat udp4-listen:6161,reuseaddr,fork OPEN:/tmp/snare.log,creat,append

Alternatively, manually add the following into the [Output] section of
the config file:
     file=/tmp/snare.log

Developed on RHEL4U2/Centos4U2. Only very basic testing/qa has been
performed so far. I'd be very interested to know if it works 'out of
the box' on any other distros, or if people have any problems with
installation/use.

BTW: Assume the code is fully GPL - I haven't plastered the
notification through the source yet though. :)

Regards,

Leigh.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SnareLinux-1.0.tar.gz
Type: application/x-gzip
Size: 25242 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060808/554e776e/attachment.bin>