Offline audit trail analysis
Todd, Charles
CTODD at ball.com
Tue Sep 11 19:31:53 UTC 2007
Thanks to Steve for being our biggest target for questions on this list!
Has anyone talked about sane ways to do offline analysis of Linux audit
logs? Presumably, this would be on another Linux system, but maybe not
the same host, and probably not on the same release or with the same
username/IP address access. Conceptually, ausearch would save and
optionally read a system's "configuration" to be saved for
interpretation later.
My goal is central logging, but doing the reporting/analysis on the
central host. That way, I can see a user across the Enterprise (or at
least in the Linux hosts), but with all the power of ausearch for
refining the report. Ideally, I would do an ausearch -ts <date> -te
<date> --raw --config-to=<hostname.ausearch.config> and it would do
things like saving the syscall lookup table, lookup users referenced in
the reported audit trail, and resolve IP addresses references in the
reported audit trail. Maybe one config file could be written for each
data type in an existing format (e.g. users in /etc/passwd format, hosts
in /etc/hosts format, etc.). I'm mainly after whether or not anyone has
considered extending ausearch for this kind of processing?
This way, an archive of raw logs could be kept along with the exact
system configuration which allows offloading the audit trail analysis to
a trusted location, rather than risk side effects from a rootkit.
Charlie Todd
Ball Aerospace & Technologies Corp.
This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070911/1fcc8f62/attachment.htm>
More information about the Linux-audit
mailing list