user audits

Steve Grubb sgrubb at redhat.com
Fri Dec 3 16:25:15 UTC 2010 

On Friday, December 03, 2010 11:12:25 am LC Bruzenak wrote:
> On Fri, 2010-12-03 at 10:54 -0500, Steve Grubb wrote:
> > On Friday, December 03, 2010 10:40:37 am LC Bruzenak wrote:
> > > Would there be any issue with adding a couple new trusted_application
> > > event types? Would any kernel mods be needed to support this?
> > 
> > Are these events originating in user space or the kernel? I might be
> > convinced to set aside the block of IDs from 2600 - 2699 for local use
> > if a suitable framework were written. This would mean that there is some
> > config file that holds the local mapping of event IDs to text and
> > ausearch/report/parse will need to be patched to understand local
> > definitions.
> 
> Great!
> 
>From user space only. Analogous to signal handling of SIGUSR1, SIGUSR2
> where the framework supports the user-implemented pieces.
> 
> I was thinking ausearch/auparse would treat all the TRUSTED_APPs the
> same...since they (currently) fails to parse these correctly anyway
> IMHO. :)

It translates the event record type and allows searches based on the event record's 
name. Aureport totals event types. Auparse also translates event type. libaudit may or 
may not have validation issues - I have not looked at the code for sending events 
lately.

 
> Everything else could treat the additional user types exactly as they do
> the TRUSTED_APP event now. When I dig through the events on the back end
> I would be able to act differently on the ones I know I've put in place
> on the originating end.

Parsing the event beyond the type, timestamp, and serial number is problematic. But 
the first couple items are standard and the kernel enforces conformance. That is as far 
as I was thinking to go with it.


> > Would you be interested in this approach?
> 
> Absolutely!
> I will be starting work on some stuff which could utilize this after the
> holidays. If it gets into RHEL6 I would be thrilled!

Look at what I said above. I would suggest a file at /etc/audit/local.defs for a 
mapping of local definitions. I would expect to be able to use: 

ausearch -m local-type
aureport --summary --events -i

-Steve

More information about the Linux-audit mailing list