User Space Auditing

User Space Auditing

[Linux]

Dear SELinux gurus,

I have a quick question regarding auditing facility in SELinux.
It might not be really relating to SELinux, could be stupid 
question though.
What I want to do is capture SELinux audit logs directly from user space
daemon, just like netfilter's ulogd. Is there any daemon like ulogd already?
If not, are there any programs that use the audit facility that 
I can refer to?
It seems not right thing to do that porting SELinux to use ulog facility.
I looked for info about audit but there's almost no useful info available on
the internet.  I found there's Hert.org who seems to be original developer of 
linux audit facility but all related info had been removed from their server
now. Even Faith's, who is author of auditd, audit page on RedHat's site has
been removed.
If anyone out there know how to use linux audit facility then 
please enlighten me. 

Thank you,

-- Junji Kanemaru
Linuon Inc.
Tokyo Japan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: User Space Auditing

[Stephen Smalley]

On Sat, 2004-12-18 at 06:31, Linux wrote:
> I have a quick question regarding auditing facility in SELinux.
> It might not be really relating to SELinux, could be stupid 
> question though.
> What I want to do is capture SELinux audit logs directly from user space
> daemon, just like netfilter's ulogd. Is there any daemon like ulogd already?
> If not, are there any programs that use the audit facility that 
> I can refer to?
> It seems not right thing to do that porting SELinux to use ulog facility.
> I looked for info about audit but there's almost no useful info available on
> the internet.  I found there's Hert.org who seems to be original developer of 
> linux audit facility but all related info had been removed from their server
> now. Even Faith's, who is author of auditd, audit page on RedHat's site has
> been removed.
> If anyone out there know how to use linux audit facility then 
> please enlighten me. 

There is a mailing list for discussions of the Linux audit framework,
see http://www.redhat.com/mailman/listinfo/linux-audit.  Peter
Martucelli has taken over from Rik Faith, who originally developed the
framework (I don't know anything about any connection with hert.org),
and has the sample auditd code at
http://people.redhat.com/peterm/audit/, but I believe that there is
ongoing work to significantly enhance both the kernel framework and the
userspace tools.  If you aren't running an auditd, then the audit data
is just channeled to klogd in the usual manner.  Please see the
linux-audit mailing list archives.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: User Space Auditing

[Linux]

> There is a mailing list for discussions of the Linux audit framework,
> see http://www.redhat.com/mailman/listinfo/linux-audit.  Peter
> Martucelli has taken over from Rik Faith, who originally developed the
> framework (I don't know anything about any connection with hert.org),
> and has the sample auditd code at
> http://people.redhat.com/peterm/audit/, but I believe that there is
> ongoing work to significantly enhance both the kernel framework and the
> userspace tools.  If you aren't running an auditd, then the audit data
> is just channeled to klogd in the usual manner.  Please see the
> linux-audit mailing list archives.

Hi Stephen,

Thank you for your info. Though the mailing list seems not working
anymore, the readme file on Peter's page contains useful info. THX!
I realized that I'm gonna have to work on this audit stuff in kernel.
Maybe we need some unified logging facility with netfilter or
let them use audit.
Is there any discussion between you SELinux guys and netfilter guys
about this logging/auditing stuff and other overlapped part?

Thank you,

-- Junji Kanemaru
Linuon Inc.
Tokyo Japan



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: User Space Auditing

[Stephen Smalley]

On Mon, 2004-12-20 at 22:11, Linux wrote:
> Thank you for your info. Though the mailing list seems not working
> anymore, the readme file on Peter's page contains useful info. THX!
> I realized that I'm gonna have to work on this audit stuff in kernel.
> Maybe we need some unified logging facility with netfilter or
> let them use audit.
> Is there any discussion between you SELinux guys and netfilter guys
> about this logging/auditing stuff and other overlapped part?

The linux-audit mailing list is working, and has recently re-started
active discussions.  We are engaged with others on the linux-audit list
about enhancements to the kernel audit framework and tools.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.