From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: New List Member: Intro & comments Date: Mon, 31 Jul 2006 13:54:30 -0400 Message-ID: <200607311354.30484.sgrubb@redhat.com> References: <20060731171437.GA447@clif.cflynt.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <20060731171437.GA447@clif.cflynt.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Clif Flynt List-Id: linux-audit@redhat.com On Monday 31 July 2006 13:14, Clif Flynt wrote: > As I read things, AppArmor doesn't support the file audit > requirements, but Auditd can meet the DSS requirements. Its not the responsibility of the access control mechanism to support aud= it.=20 Audit has its own kernel patches for this. I don't know if Suse picked up= =20 those patches since yhey are in the upcoming 2.6.18 kernel. > =A0 Auditd 1.2.5 doesn't quite do what I need, but I'm getting close. What doesn't it do? > =A0 2) Maintaining records > > =A0 The traditional log-rotate with N logs makes it difficult to keep X > days of logs. =A0When the system is busy, I can rotate the logs every 1= 0 > minutes. Long term, I want to natively support compressed logs by linking to gzip=20 library and using it. > =A0 I've put together a small cron job that looks for audit.log.1, > filters out some data I know I won't want, and zips it into a file with > a name based on the timestamp. The 2.6.17 kernel lets you delete certain message types in the kermel. Yo= u=20 would do something like: -a always,exclude -F msgtype=3Dlogin This will filter all those message types in the kernel so they never make= it=20 to the logs. > =A0 My current report generator builds an SQLite database on the fly fr= om > the flat ASCII logs. Seems like this would be ideal to marry to the realtime audit event inter= face.=20 You would set log_format =3D nolog, dispatcher =3D /sbin/your-dispatcher,= and=20 disp_qos =3D lossless to keep the audit system from writing to disk, send= =20 events to a program, and use blocking comminucation to do it. > =A0 I'm using SQLite instead of mySQL or Postgres because it it's fast, > mature and robust and doesn't =A0require any database server (or dbadmi= n) > to run it. I've been looking at using it too. I read some issues that made me wonder= if=20 it was really suitable: http://www.sqlite.org/whentouse.html At the bottom it mentions that if something has the database open for rea= d,=20 then writing is blocked. And the issue about the journal using 256 bytes = for=20 event MB of data made me wonder also. I agree that this fits a database model and have been working to normaliz= e the=20 data so we can actually do this. I think all that's left to do is work on= the=20 avc messages since they seem to be overloaded. > =A0 I put together a small audisp test application to read from stdin a= nd > save data in a timestamped file. =A0When I run this, I get nothing but > empty reads, and finally an EOF from auditd. =A0I'm expecting to see > plain ASCII input. Yes, you should. > =A0 Is this not what is sent to the audisp target? No, real data is sent. The descriptor is likely to be non-blocking so tha= t the=20 audit deamon doesn't hang up when the buffers are full. So, you need to=20 select on the descriptor. > =A0 I just tried the sample.c application, skeleton.c? That should work fine. > When I restart audispd, I see no output in /var/log/messages, and a.out= does > not show in the process stack. =A0If I just run /tmp/a.out and type som= ething, > output appears in /var/log/messages. Hmm strange. Works on FC6 machine. > =A0 If any of this is of interest or use, let me know, and I'll make it > available to the community. The GUI based search tool might be nice for people to use. I plan to writ= e one=20 in the future, but its lower on the priority list right now. But I think=20 people would like to try out your tool. -Steve