[RFC] New ausearch output option & audit viewing in Spacewalk
Steve Grubb
sgrubb at redhat.com
Mon Jun 8 17:28:40 UTC 2009
On Monday 08 June 2009 12:46:37 pm Joshua Roys wrote:
> As part of developing an audit viewing "plugin"[1] to Spacewalk[2], I
> wrote a small program to use libauparse to output (easily)
> machine-parsable audit logs. I think this functionality would be nice
> to have in ausearch, and as such, wrote a patch for it.
Very interesting work. When you apply this patch and select its output format,
what does the output look like?
> As well as reviewing this patch, I would like your feedback concerning
> the Spacewalk audit plugin. Any questions or constructive criticism is
> welcome.
I think this is a very interesting project. But, I have to admit that I don't
use ausearch as the normal presentation program when I'm researching some
audit events. For example, a typical investigation may go something like
this:
1) you run aureport to see what is going on. hmm...no avcs...but lots of
files, therefore you are getting hits on rules. wonder which ones?
2) you run the key report to see what the nature of hits is like. The access
key seems to be getting a lot of hits, wonder which files it might be?
3) you run ausearch selecting the access key and pipe that into the file
summary report. You notice one file is getting lots of hits. Wonder who is
doing it?
4) you run ausearch selecting the access key and the file name and pipe that
into the user summary report.
5) you notice its one acct and you wonder what all failures that person has
had this session so you re-run the last ausearch command with --just-one so
you can find the ses=value. Then you run ausearch --session value --success no
and send that to aureport to get an overview of the session.
...
So, I'd recommend adding aureport's main summary and the aureport key summary
reports to the output so that you can see if there is any reason to do a
deeper investigation.
Interesting work!
-Steve
More information about the Linux-audit
mailing list