creating and inserting audits
LC Bruzenak
lenny at magitekltd.com
Tue Sep 7 21:02:21 UTC 2010
On Tue, 2010-09-07 at 16:38 -0400, Nestler, Roger - IS wrote:
>
> Does this capability exist already in linux audit and I’m just not
> seeing it???
>
man audit_log_user_message
>
> Is it a bad idea to build and then to insert a custom audit/message,
> or any standard audit, into the audit.log file?
Nope.
> If so are there any problems to look out for , e.g event id/sequence
> number collisions, auparse or ausearch problems, formatting issues to
> adhere to???
>
The text in the audit_log_user_message is not really freeform-safe, and
it is practically limited to somewhere around 900+ bytes (from a kernel
setting, unless it has been updated since).
The parser will throw away some of your records if the text matches what
it is looking for elsewhere. Maybe Steve can point out the specs. For
example, I had this one:
> > # ausearch -ts this-week -a 22476
> > <no matches>
> >
> > in the raw log:
> > node=slim type=USER msg=audit(1244730722.536:22476): user pid=16700
> > uid=0 auid=500 ses=1 subj=user_u:user_r:user_t:s0 msg='node=jim
> > type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
> > name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644
ouid=ntp
> > ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0 :
> > exe="/usr/local/sbin/auditctl" (hostname=?, addr=?, terminal=pts/13
> > res=success)'
> >
> > Any clues?
>
> When ausearch finds a malformed record, it discards it as a safety
measure.
>
> -Steve
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list