Cooked audit log format
Matthew Booth
mbooth at redhat.com
Mon May 12 15:02:36 UTC 2008
Steve Grubb wrote:
>> Simple starters would include:
>> * Translating the architecture and syscall names into human.
>
> libauparse, ausearch, & ausyscall can do this.
>
>> * Jumping one way or the other with the hex strings business
>
> not sure what you mean by this. ausearch, aureport, & libauparse can handle
> them.
Strings should be either always hex encoded, or always escaped
(preferably the latter).
>> * Translating socket addresses into human.
>
> libauparse, ausearch, and aureport all do this.
>
>> * Translating timestamps into human.
>
> libauparse, ausearch, and aureport all do this.
No doubt, but I'm interested in a general agreement around the output,
not which tools can generate it. My customer is using a third party
audit tool to collate logs from a large number of sources including
Linux accounting logs, but also including HP-UX, Solaris, Windows, AIX,
door sensors, etc... There is currently no good steer for third party
tool vendors about what log format they should support, hence I have
recommended uncooked. However, the problem with uncooked logs is that
they are offensive to the human eye ;) This makes life difficult for an
operator presented with a bunch of logs to look at, which together form
some interesting event.
>> * Ditching uninteresting records, such as PATH with no name for the
>> dynamic linker, and 2 PATH records when execing a script.
Oh, also:
* Ditching CWD and making all PATH records absolute.
>> with an ultimate goal of:
>> * Defining an expected set of data for every system call and putting
>> them all on a single line in a well defined format.
>
> I have a feeling that too will become an abomination. aureport tries to get
> the audit events down to the bare essentials. But what you wind up with is
> something that makes you want more details. When you add more details you
> feel like you want less.
The goal is semi human-readability in a standard, machine-readable
format. So include all the abominable details, but at the end of the
line ;) And put everything on 1 line. And define exactly what will be on
that line, every time.
>> Is anybody doing any work in this direction?
>
> Not really. Part of the problem is that I occasionally hear complaints about
> the audit format, but then no one that is actually /using/ the audit output
> is willing to help define what an auditor needs. I'd really like this to come
> from people who do this as their job.
>
> I can take a guess at what's needed. But I really want to hear it from the
> Security Officer's perspective.
>
> One thing that is on the TODO list is to make a output format that is like
> strace for syscall records. At least people have experience reading strace
> output and it might help make one class of record easier to understand. Doing
> this will be a big job, so I want to get some important things like remote
> logging finished before jumping into it.
>
I don't underestimate the size of the task: it's a huge mountain of
donkey work, but it really has to be done. And maintained...
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080512/0fbc9189/attachment.sig>
More information about the Linux-audit
mailing list