audit 1.3 released

[John Calcote]

Steve, 

Great work! Glad to see this release come out - it covers a lot of important features that some of us have been waiting a while for. Now that you've got this update out the door, you're probably feeling like the load's been lightened a bit. Perhaps you can spare a moment or two to consider the content issue I brought up a few weeks ago. I sent a comment to this list regarding audit record content. 

Please allow me to recap....

As I stated in my earlier message, this group has focused a lot on transport, security and performance, but not a lot of effort has gone into content. Transport, security and performance are absolutely critical aspects of a distributed audit service, but wouldn't you agree that these features are worth a lot more in conjunction with a good content model?

Back end analysis tools spend most of their processing time just trying to properly parse, decode and classify events from various applications and system modules, so they can properly analyze the fundamental meaning of a sequence of events within a system or intranet - quite frankly, without such automated analysis, large data centers have little use for terabyte log files. And let's be honest here - who else really cares about audit?

Wouldn't it be great if we had a common taxonomy, record format and even a cross-platform portable API to which applications and systems could throw audit events, as well as a set of documentation that would provide key insights to security developers concerning the security-relevance of various network, application or system events? Well, it so happens that we can - OpenXDAS (http://openxdas.sourceforge.net) is an OSS project that provides a cross-platform, portable code base. This project is based on an open standard (The Open Group's Distributed Audit Service - XDAS). XDAS defines the following aspects of an audit system:

1. A common (but extensible) taxonomy designed around a wide range of network security relevant events. 

2. A common record format, the basis of which is a series of UTF-8 delimited text fields defining all of the critical aspects of an audit event - a common set of header information, the event originator, the event initiator, the event target, the event source (if the event was translated from a native event system), and additional event data comprised of comma-separated name=value pairs. 

3. An API composed of multiple conformance levels: Read, Submit, Manage, Translate/Convert, etc. 

OpenXDAS currently supports the basic conformance level and the Submit conformance level, giving applications and system modules the ability to submit audit events to any number of back-end plugin event loggers - one of the currently available event loggers is LAF for systems that support LAF. 

Interestingly, XDAS purposely does NOT define transport, security or performance aspects of a distributed audit system, which is why I consider the LAF project and the OpenXDAS project to be perfect complements for each other. I would love to have some feedback from you guys, and even some community support in the form of verbal votes of confidence regarding my efforts on this project - I hope that in time, the community of OpenXDAS users will grow in size and backing so that the world will recognize an emerging standard.

Thanks in advance,
John

>>> Steve Grubb <sgrubb at redhat.com> 11/28/2006 4:01 PM >>>
Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
tomorrow. The Changelog is:

- ausearch & aureport implement uid/gid caching
- In ausearch & aureport, extract addr when hostname is unknown
- In ausearch & aureport, test audit log presence O_RDONLY
- New ausearch/aureport time keywords: recent, this-week, this-month, 
this-year
- Added --add & --delete option to aureport
- Update res parsing in config change events
- Increase the size on audit daemon buffers
- Parse avc_path records in ausearch/aureport
- Rework AVC processing in ausearch/aureport
- ausearch has new output mode, raw, for extracting events
- ausearch/aureport can now read stdin
- Added long options to ausearch and aureport
- new auditd commandline option, -l, to allow following symlinks for its 
config file.


This is a big update with several new things. The first three are performance 
improvement things. 

The next item introduces some new keywords for time ranges. recent means 10 
minutes ago, this-week means since day 0 of the week as determined by your 
locale, this-month means day 1 of the current month, and this-year means 1/1 
of the current year.

The next item adds 2 new command line options to aureport. This is intended to 
sort out things that are related to adding rules/users/groups vs deleting 
them. This can be handy to divide up config change reports.

The next 4 items are bug fixes.

ausearch has a new output mode, --raw. This means that the audit log entry is 
emitted with no interpretation and no changes. This is handy to extract 
portions of logs for use later or as the first stage of piping commands 
together. If you have a user you want to extract logs for, you can now do 
this:

ausearch -ts this-week -ul 500 > user.log

The next item in the new features is that ausearch/aureport can now take 
events from stdin. So, you can now do something like this:

ausearch -ts this-month -ul 500 --raw | aureport

The next item is that every commandline option in ausearch/aureport has a long 
option. This means that you can do this:

ausearch --start this-week --loginuid 500 --message avc --terminal tty1

or

aureport --start this-month --failed --event

The final item is a commandline option allowing auditd to follow symlinks to 
read its config file. I guess this might be useful for people doing stateless 
or live CD's where the writeable files are kept somewhere else.

If you see any issues with this release please let me know.

-Steve

--
Linux-audit mailing list
Linux-audit at redhat.com 
https://www.redhat.com/mailman/listinfo/linux-audit