New draft standards

Richard Guy Briggs rgb at redhat.com
Tue Dec 8 20:49:58 UTC 2015 

On 15/12/08, Steve Grubb wrote:
> Hello,
> 
> I would like to point out 2 new standards that have been posted to the linux 
> audit web page. The first establishes the events around system start up and 
> shutdown. This is important because it sets the session boundaries for when a 
> system is up or down or crashed.
> 
> http://people.redhat.com/sgrubb/audit/system-lifecycle.txt

A couple of very minor corrections to this first one:

--- system-lifecycle.txt.orig	2015-12-08 15:36:34.441782830 -0500
+++ system-lifecycle.txt	2015-12-08 15:38:10.763998066 -0500
@@ -62,7 +62,7 @@
 /* boot */
 audit_log_user_message (fd, AUDIT_SYSTEM_BOOT, "init", NULL, NULL, NULL, 1);
 
-/* run leve change */
+/* run level change */
 snprintf (buf, sizeof (buf), "old-level=%c new-level=%c", old, level);
 audit_log_user_message (fd, AUDIT_SYSTEM_RUNLEVEL, buf, NULL, NULL, NULL, 1);
 
@@ -77,7 +77,7 @@
 audit_log_user_message (fd, AUDIT_SERVICE_START, buf, NULL, NULL, NULL, 1);
 free(buf);
 
-Service stop events should be the same os start with the exception of using
+Service stop events should be the same as start with the exception of using
 AUDIT_SERVICE_STOP as the event type. If only the pid is available, record
 that as "spid". There must be a way to compare start and stop records to see
 that they balance. (There are as many starts as stops.)

> The second standard is more of a forward looking standard. It explains how the 
> audit daemon and utilities will perform event enrichment before being stored 
> long term in an aggregator. The target for implementation is the 2.5 release 
> of the audit daemon.
> 
> http://people.redhat.com/sgrubb/audit/event-enrichment

How do you mean for IP address to be "resolved"?  Is this simply a
matter of recording it?  Or would this be a reverse lookup on the local
machine to get the opinion of what it should be from the DNS perspective
of the local machine, assuming different machines in the logging domain
could potentially have different views of DNS?

> Let me know if anyone has feedback on these standards, especially the second 
> one.
> 
> -Steve

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list