From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Re: Absolute path names in PATH records Date: Mon, 02 Jul 2007 22:02:21 +0100 Message-ID: <1183410141.4534.28.camel@localhost.localdomain> References: <1183405495.4534.12.camel@localhost.localdomain> <1183409027.8532.118.camel@finch.boston.redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1500588027==" Return-path: In-Reply-To: <1183409027.8532.118.camel@finch.boston.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: John Dennis Cc: linux-audit List-Id: linux-audit@redhat.com --===============1500588027== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-VP/u9qGfE4bVGffE9DSt" --=-VP/u9qGfE4bVGffE9DSt Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, 2007-07-02 at 16:43 -0400, John Dennis wrote: > The audit parsing library (auparse) can reassemble independent > records into a single event (but currently only if the records occur > sequentially, non-sequential record assembly is a future feature). I'm evaluating a third party product (RSA's enVision) for handling large volumes of audit data from large numbers of hosts. I'm delivering audit records to it from a custom auditd which does little other than wrap the records it receives as syslog and sending it in a UDP packet to the collector. This is for performance reasons as we're generating a lot of audit data. Post-processing with auparse would require either doing this inline, on-node, which I don't think would be feasible because of performance, or running it on the enVision appliance, which definitely isn't feasible as it runs Windows ;) enVision can plug things back together, but again it's limited in what it can do in-line for performance reasons. It would be easiest all-round if we got the information pre-digested. > The ability of the kernel to emit audit records with path information > has been evolving in different kernel versions. I'm sorry but I don't > have detailed version information on some of this. The AUDIT_AVC_PATH > record was added to give complete path information in conjunction with > an AUDIT_AVC record (i.e. these two records are members of a single > audit event). However in RHEL 5.1, kernel 2.6.22 the AUDIT_AVC_PATH > record is going away and the path instead will be in the avc record. >=20 > I'm not 100% positive, but I believe the work done to support > AUDIT_AVC_PATH by capturing path information prior to sys call > transition where only the inode is passed to the kernel will now result > in complete path information in other audit records as well, perhaps > Steve Grubb can give precise information on this. Steve? I'm using RHEL 4.5, btw. Thanks, Matt --=20 Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --=-VP/u9qGfE4bVGffE9DSt Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBGiWfdNEHqGdM8NJARAi6vAJ9BbBRSrlk+UcxvWsh4fOYKhD9oMgCeJDsD tYIYaGEq2WeNROxRZZTqI8g= =OkkB -----END PGP SIGNATURE----- --=-VP/u9qGfE4bVGffE9DSt-- --===============1500588027== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1500588027==--