Offline audit trail analysis

Steve Grubb sgrubb at redhat.com
Tue Sep 11 20:22:22 UTC 2007 

On Tuesday 11 September 2007 15:31:53 Todd, Charles wrote:
> Has anyone talked about sane ways to do offline analysis of Linux audit
> logs?  Presumably, this would be on another Linux system, but maybe not
> the same host, and probably not on the same release or with the same
> username/IP address access.  Conceptually, ausearch would save and
> optionally read a system's "configuration" to be saved for
> interpretation later.

ausearch uses getpw* and getgr* calls to resolve the uid & gid. Aside from 
that, I believe it is self contained. (I haven't dug too deep in answering 
this question.)


> My goal is central logging, but doing the reporting/analysis on the
> central host.  That way, I can see a user across the Enterprise (or at
> least in the Linux hosts), but with all the power of ausearch for
> refining the report.

That is in the works...

> Ideally, I would do an ausearch -ts <date> -te 
<date> --raw --config-to=<hostname.ausearch.config> and it would do
> things like saving the syscall lookup table,

This is actually inside libaudit for all arches.

> lookup users referenced in the reported audit trail, 

uid & gid are based on the host's /etc/nsswitch.conf settings. If file, then 
its the local passwd/group files. If not, you have a central uid database.

> and resolve IP addresses references in the reported audit trail.

Hmm. As long as systems don't get changed too much, this should be resolvable 
from anything that has DNS access.

> Maybe one config file could be written for each data type in an existing
> format (e.g. users in /etc/passwd format, hosts in /etc/hosts format, etc.). 
> I'm mainly after whether or not anyone has considered extending ausearch for
> this kind of processing?

Sort of. I am working towards central logging. Getting the new event 
dispatcher completed is the first step. But I haven't looked at storing user 
and gid away yet. The calls that I'm using don't really allow substituting a 
new passwd or group file. So, I'd have to change all that code. But if you 
have an enterprise setup, you shouldn't be deleting user IDs to keep from 
having a collision down the road.

> This way, an archive of raw logs could be kept along with the exact
> system configuration which allows offloading the audit trail analysis to
> a trusted location, rather than risk side effects from a rootkit.

Yep.

-Steve

More information about the Linux-audit mailing list