audit aggregation

Steve Grubb sgrubb at redhat.com
Wed Jan 30 17:50:01 UTC 2008 

On Wednesday 30 January 2008 12:26:12 LC Bruzenak wrote:
> Just a thought from someone who is following this list closely b/c I'm
> tasked with setting up a multi-host system auditing capability - one
>
> thing Steve G. mentioned was:
> > > it both decodes AND performs contextual substitution. Contextual
> > > substitution only has meaning when applied on the same host and at
> > > approximately the same time as when the audit record was generated.
> >
> > Correct. You are talking about something the library does not handle
> > today. The reason is because there is no designed method to aggregate
> > logs. So, when that work is done, auparse will be fixed up to handle
> > the situation.
>
> I have been thinking about how to solve this also; I bet I'm not alone.

The audit records are fairly self contained except user and groups.What I'm 
thinking is that when the audit daemon starts up/rotates logs, it would send 
an event that records all user/groups. This may not be needed for sites using 
a network based identity system. So, it would probably be a config option in 
auditd.conf just like whether or not to include node information. If the 
record exists, auparse would cache it for reference in case interpretations 
are needed for that host. It would replace the cached record when another for 
the same host comes along.

Another possibility would be to have the sending site to do an immediate 
translation of user/group and add that to the record. This could cause 
records to get longer. So its got some drawbacks.


> So if/when changes are made I'd be grateful if it is included. I'll be
> willing to participate as required.

Sure, I'll probably be starting into this during February. One complication is 
that I need to reserve a port with IANA. Being that audit data is important, 
you would want to be on a port < 1024 to prevent any spoofing. But in order 
to get a port < 1024, you need to have an IETF RFC.


> ps: Steve the prelude plugins are excellent!

I should be releasing a new audit package in the next few days. I've gotten 
some excellent feedback from the prelude developers and I'm incorporating the 
changes they suggested. I'm adding a few more events this time around, too.

-Steve

More information about the Linux-audit mailing list